US20160071040A1 - Method and system for enabling data usage accounting through a relay - Google Patents
Method and system for enabling data usage accounting through a relay Download PDFInfo
- Publication number
- US20160071040A1 US20160071040A1 US14/615,799 US201514615799A US2016071040A1 US 20160071040 A1 US20160071040 A1 US 20160071040A1 US 201514615799 A US201514615799 A US 201514615799A US 2016071040 A1 US2016071040 A1 US 2016071040A1
- Authority
- US
- United States
- Prior art keywords
- connection
- secure application
- data
- secure
- relay server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 123
- 230000006854 communication Effects 0.000 claims description 27
- 238000004891 communication Methods 0.000 claims description 27
- 230000000977 initiatory effect Effects 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 11
- 230000006855 networking Effects 0.000 claims description 8
- 230000003139 buffering effect Effects 0.000 claims 2
- 230000003213 activating effect Effects 0.000 claims 1
- 230000008569 process Effects 0.000 description 53
- 238000004364 calculation method Methods 0.000 description 20
- 238000012545 processing Methods 0.000 description 17
- 230000003993 interaction Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 230000004048 modification Effects 0.000 description 11
- 238000012986 modification Methods 0.000 description 11
- 230000001413 cellular effect Effects 0.000 description 7
- 230000008901 benefit Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000013507 mapping Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000005192 partition Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000005204 segregation Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000001151 other effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0631—Resource planning, allocation, distributing or scheduling for enterprises or organisations
- G06Q10/06313—Resource planning in a project environment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1403—Architecture for metering, charging or billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1432—Metric aspects
- H04L12/1435—Metric aspects volume-based
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/563—Data redirection of data network streams
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1485—Tariff-related aspects
- H04L12/1496—Tariff-related aspects involving discounts
Definitions
- the present description relates to methods and systems for data usage accounting and more particularly, to methods and systems for data usage accounting in computing devices with secure enterprise applications and personal applications.
- the employee's device may include both personal and secure applications, it may be desirable to bifurcate the process of data usage accounting.
- the employer may wish to receive an accounting of the data usage associated with the secure applications that have been installed on the employee's device on behalf of the employer. This accounting, however, needs to be separate from data accounting that may be attributable to unsecure applications that the employee may have installed for personal use.
- a method for enabling data usage accounting through a relay is described herein.
- the method can be practiced on a computing device that has secure applications and unsecure applications installed thereon. Initially, a request for a data session that includes a final endpoint can be received through a secure application. The request for the data session can be intercepted and modified to cause the request to be redirected back to the secure application. In addition, a connection with a relay component can be initiated instead of the final endpoint such that data usage accounting for the data session is to be conducted at a remote location.
- the final endpoint can be provided to the relay server to enable the relay component to establish a connection with the final endpoint.
- the connection with the relay component that is initiated can be transparent to the secure application, and the connection with the relay component that is initiated may be based on a protocol that is non-native to the secure application.
- This arrangement can mean that some portion of the secure application, such as the original code of the target application that comprises the secure application, may be abstracted away from the connection with the relay component, while some other portion of the secure application, like a secure framework and/or other code that has been integrated with the target application to create the secure application, may enable the abstraction and may facilitate the connection with the relay component.
- the original code of the target application does not have to be restructured, altered or re-written to account for the redirection of the request or for the (incompatible) protocol of the relay component.
- data from the secure application can be buffered while the connection with the relay component or the final endpoint is being established.
- Initiating the connection with the relay component may include providing an internet protocol (IP) address of the computing device to the relay component.
- IP internet protocol
- the connection that is initiated with the relay component is configured to support the transport of both unencrypted data and encrypted data for the secure application.
- a secure application that is installed on the device can be launched in which the device may have unsecure applications installed thereon in addition to the secure application.
- content may be requested from a final destination.
- the content request may be redirected back to the secure application, and a connection with a relay server can be initiated to enable retrieval of the requested content from the final destination and to enable an accounting of data of the retrieved content.
- the initiation of the connection with the relay server only occurs for the secure application and not for the unsecure applications.
- the final destination and an IP address of the computing device may be provided to the relay server.
- the connection of the relay server may be based on a protocol that is non-native to the secure application and redirecting the content request back to the secure application may include natively redirecting the content request back to the secure application. Natively redirecting may refer to the secure application relying on native calls when initially generating the data session request.
- initiating the connection with the relay server may include transparently initiating the relay connection with the relay server.
- the content request can be redirected back to the secure application for a plurality of predetermined networking calls from the secure application.
- the connection with the relay server may be predefined and able to accommodate each of the predetermined networking calls.
- initiating the connection with the relay server may include authenticating the computing device with the relay server prior to permitting data exchange between the secure application and the relay server.
- data from the secure application can be buffered while the connection with the relay server is established.
- a setting can be activated that prevents the content request from being redirected back to the secure application and the initiation of the connection with the relay server.
- a method of counting data associated with secure applications is also described herein.
- a request can be received to establish a relay connection with a requesting secure application installed on a computing device that includes both secure applications and unsecure applications.
- the computing device can be authenticated. If the device is authenticated, the relay connection with the requesting secure application can be established, and a connection with a final destination specified by the requesting secure application can be initiated.
- data associated with the final destination connection can be counted such that a data usage amount is determined for the requesting secure application. The counting of the data may only be performed for the secure applications.
- data associated with the final destination connection may be returned to the secure application over the relay connection.
- the relay connection may be based on a protocol that is non-native to the requesting secure application.
- receiving the request to establish the relay connection may include receiving the final destination specified by the requesting secure application and an IP address of the computing device.
- Establishing the relay connection with the requesting secure application may include establishing the relay connection with the requesting secure application only if the computing device is operating on a predetermined cellular network. This predetermined cellular network may be owned, operated or maintained by the same entity that performs the counting of the data associated with the final destination. A report that details the data usage of the secure applications installed on the computing device may also be generated.
- the computing device may include a display that is configured to display both secure and unsecure applications that are installed on the computing device and may also include a processing unit that is communicatively coupled to the display.
- the processing unit can be configured to receive a data access request through one of the secure applications in which the data access request may include a final destination.
- the processing unit may also be configured to cause a redirection of the data access request back to the secure application and to cause a connection with a relay server to be initiated to enable an accounting of data associated with the data access request.
- the relay server can be configured to establish a connection with the final destination specified by the secure application.
- the processing unit can be further configured to cause the redirection of the data access request and the connection with the relay server for the secure applications but not for the unsecure applications.
- the computing device can include a Wi-Fi communications stack that is communicatively coupled to the processing unit.
- the processing unit can be further configured to cause a setting to be activated to prevent the redirection of the data access request and the connection with the relay server if the computing device is connected to a Wi-Fi network through the Wi-Fi communications stack.
- This feature may be applicable to other networks.
- the setting may be activated if the computing device is camped on a roaming network or a network in which data usage charges are not applicable or not otherwise incurred for access or use.
- the computing device may also include memory that is communicatively coupled to the processing unit.
- the processing unit can be further configured to cause data from the secure application to be buffered in the memory while the connection with the relay server is established.
- the connection with the relay server may be based on a protocol that is non-native to the requesting secure application, and the processing unit is further configured to cause the connection with the relay server to be initiated transparently with respect to the requesting secure application.
- the connection with the relay server can be configured to support unencrypted traffic between the secure application and the final destination.
- the processing unit can be further configured to cause the connection with the relay server to be initiated by causing a listening socket on a loopback interface to be generated and a back-end socket to be generated.
- FIG. 1 illustrates an example of a block diagram of the system architecture of a computing device that is configured to practice the subject matter described herein.
- FIG. 2 illustrates an example of a system that shows the computing device of FIG. 1 in communication with one or more remote servers.
- FIG. 3 illustrates an example of a method for data usage accounting.
- FIG. 4 illustrates an example of an interaction among a secure application, a remote server and a system service.
- FIG. 5 illustrates another example of a method for enabling data usage accounting.
- FIG. 6 illustrates an example of an interaction between a secure application and a system server.
- FIG. 7 illustrates an example of a system that shows the computing device of FIG. 1 in communication with one or more relay servers and one or more remote servers.
- FIG. 8 illustrates an example of a method for data usage accounting through a relay.
- FIG. 9 illustrates an example of an interaction among a secure application, a relay server and a remote server.
- references in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” “one arrangement,” “an arrangement” or the like, indicate that the embodiment or arrangement described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment or arrangement. Furthermore, when a particular feature, structure, or characteristic is described in connection with an embodiment or arrangement, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments or arrangements whether or not explicitly described.
- the word “among,” as it is used throughout this description, should not necessarily be interpreted as requiring exchanges or interaction among three or more applications, irrespective of grammar rules.
- the word “a” is not necessarily limited to a singular instance of something, as it may mean one or more.
- exemplary as used herein is defined as an example or an instance of an object, apparatus, system, entity, composition, method, step or process.
- communicatively coupled is defined as a state in which two or more components are connected such that communication signals are able to be exchanged (directly or indirectly) between the components on a unidirectional or bidirectional (or multi-directional) manner, either wirelessly, through a wired connection or a combination of both.
- a “computing device” is defined as a component that is configured to perform some process or function for a user and includes both mobile and non-mobile devices.
- computer readable storage medium is defined as one or more components that are configured to store instructions that are to be executed by one or more processing units.
- An “application” is defined as a program or programs that perform one or more particular tasks on a computing device. Examples of an application include programs that may present a user interface for interaction with a user or that may run in the background of an operating environment that may not present a user interface while in the background.
- the term “operating system” is defined as a collection of software components that directs a computing device's operations, including controlling and scheduling the execution of other programs and managing storage, input/output and communication resources.
- a “processing unit” or “processor” is defined as one or more components that execute sets of instructions, and the components may be disparate parts or part of a whole unit and may not necessarily be located in the same physical location.
- memory memory element
- repository storage
- shared memory is memory, a memory element or a repository that is accessible (directly or indirectly) by two or more applications or other processes.
- An “interface” is defined as a component or a group of components that enable(s) a device to communicate with one or more different devices, whether through hard-wired connections, wireless connections or a combination of both.
- An “input/output device” is defined as a device that is configured to at least receive input from a user or a machine that is intended to cause some action or other effect on a component with which the input device is associated.
- a “display” is defined as an apparatus that presents information in visual form and may or may not receive input through a touch screen.
- file system is defined as an abstraction that is used to organize, store and retrieve data.
- secure application is defined as an application that has been modified or enhanced from its original form to restrict communications between the application and unauthorized programs, applications or devices and to restrict operation of the application based on policy or to alter, augment or add features associated with the operation of the application (or any combination thereof) or—in the case of the application not being modified—an application that is part of a secure workspace that is protected from data exchanges with applications that are part of a personal or an unsecure workspace.
- a “target application” is defined as an application that has been selected for conversion into a secure application.
- An “unsecure application” is defined as an application that has not undergone the modification required to convert the application into a secure application and, as such, is unable to obtain data from a secure application in view of an obfuscation scheme employed by that secure application or is an application that is not part of a secure workspace and is restricted from accessing data from the secure workspace.
- a “hub application” is defined as an application that receives input from one or more secure applications and establishes connections with external entities on behalf of the secure applications that provide such input.
- a “virtual machine” is defined as a platform-independent execution environment that emulates a physical machine.
- personal workspace is defined as a workspace, profile or partition that is configured to contain the personal content and unsecure applications or other unsecure programs associated with a user of a computing device on which the personal workspace sits.
- secure workspace is defined as a workspace, profile or partition that is configured to contain secure content, secure applications and other secure programs and requires some form of authentication to be accessed.
- the term “content provider” is defined as a site that offers data for consumption by a computing device.
- system service is defined as an application or a set of applications on a computing device that offer one or more features for access by an unsecure application or a secure application.
- a “secure connection” is defined as a connection in which at least some portion of the data that is exchanged over the connection is encrypted or otherwise obfuscated from unauthorized parties, entities or processes.
- To “consume data” means to receive data from a source, transmit data to a recipient or both.
- An “external network entity” means an entity—such as a component or a service—that is part of a network that is external to or located remotely from a computing device.
- An “external entity” is defined as an entity to which an application wishes to establish a connection.
- a “final endpoint” or “final destination” is the external entity with which an application or process intends to establish a connection based on a data request.
- a “relay server” is a server that facilitates a connection between a computing device and a remote or content server or some other final endpoint or destination.
- solutions have been developed that enable a mobile device to include both personal and enterprise data. Accordingly, it may be useful to segregate data usage accounting associated with the enterprise side from usage associated with the personal space. This process can enable an enterprise to determine how much data that is consumed by the mobile device is the responsibility of the enterprise.
- a method and system for enabling data usage accounting is described herein.
- the method can be practiced on a computing device that has secure applications and unsecure applications installed thereon.
- a request for a data session that includes a final endpoint or destination can be received through a secure application.
- the request for the data session can be intercepted and modified to cause the request to be re-directed back to the secure application.
- a connection with a relay server can be initiated instead of the final endpoint such that data usage accounting for the data session is to be conducted at a remote location.
- this technique can be limited to the secure applications on the computing device, meaning the unsecure applications are unaffected. Virtually any type of data can be tracked and counted under this scheme, including digitized voice signals and other forms of communication, including messaging.
- data tracking can be conducted for secure applications or other applications associated with an enterprise or organization that are installed on a user's computing device based on that user's relationship with that enterprise or organization.
- This tracking can also be kept apart from any accounting performed for a user's personal usage, such as that associated with unsecure applications on the device.
- an enterprise can accurately determine its accountability for data usage by a computing device that includes both enterprise and personal data. This solution may be particularly useful for counting the data of the sessions at a remote location.
- the computing device 15 can include a hardware layer 20 , a kernel layer 25 and a libraries layer 30 , which may include a plurality of native libraries.
- This architecture may also include a runtime environment 35 , a system server 40 , a secure framework 45 and an application layer 50 .
- the hardware layer 20 may include any number and type of hardware components, such as one or more displays 55 , one or more input/output (I/O) devices 60 , one or more processing units 65 and any suitable type and number of memory devices 70 and interfaces 75 .
- the I/O devices 60 include speakers, microphones, physical keypads, etc.
- the display 55 can serve as an I/O device 60 in the form of a touch-screen display.
- the interface 75 can be configured to support various types of communications, including wired or wireless and through any suitable type of standards and protocols.
- the interface 75 can include one or more cellular communication stacks and one or more Wi-Fi communication stacks to enable the computing device 15 to conduct bidirectional communications with one or more cellular networks and one or more Wi-Fi networks, respectively.
- the hardware layer 20 may also include a calculation unit 77 , which can be configured to calculate or determine (or at least assist in the determination or calculation of) data usage totals associated with any type of session conducted on the computing device 15 , including those originating from the application layer 50 .
- the calculation unit 77 may be a separate component or may be part of the processing unit 65 .
- the calculation unit 77 may be remotely located such that it is external to the computing device 15 . In such a case, information regarding the sessions may be sent to a remote location that supports the calculation unit 77 , and the unit 77 can perform its calculation functions once it receives the information.
- the runtime environment 35 can support any suitable number of virtual machines 80 and core libraries 85 , although a virtual machine may not be needed in other arrangements, such as where native code is employed.
- the system server 40 can serve as an abstraction for the underlying layers for the applications in the application layer 50 and can provide numerous system services for the applications.
- a system framework which may be part of an application's process, can be employed to enable interaction with the system server 40 or other components.
- the application layer 50 may include any number of unsecure applications 90 and any number of secure applications 95 , one of which may be a core secure application 100 .
- the secure framework 45 can function in a manner similar to that of a conventional framework, but the secure framework 45 can facilitate the encapsulation of a number of secure applications 95 to selectively restrict their data exchanges with the unsecure applications 90 .
- the secure framework 45 can be configured to intercept and modify certain calls from the secure applications 95 , prior to passing them to the system server 40 . In one arrangement, these calls may be from the secure applications 95 or the system framework.
- the unsecure applications 90 are associated with the personal data of a user of the computing device 15 .
- the secure applications 95 are typically associated with confidential or otherwise sensitive information that belongs to or is associated with an enterprise or some other organization, and the user of the device 15 may work for such an entity.
- a virtual partition or workspace may be created on the computing device 15 in which the secure applications 95 (and the core secure application 100 ) are part of a secure workspace 105 , and the unsecure applications 90 are part of a personal workspace 110 .
- a user may be required to provide authentication information, such as a password, PIN or biometric data, to gain access to the secure workspace 105 or to any individual or group of secure applications 95 .
- some of the unsecure applications 90 may be system services 115 that provide features or functionality that is associated with the type of operating system that is installed on the computing device 15 .
- the system service 115 may be an application or a set of applications that live in the background and support different tasks associated with the operating system of the device 15 .
- System services 115 may facilitate the exposure of low-level functions of the hardware layer 20 and the kernel layer 25 to the higher-level application layer 50 .
- Many system services 115 may operate with elevated privileges, in comparison to other applications.
- a common system service 115 that is typically found on computing devices 15 is a media player, which processes and presents media data for a user.
- Another example of a system service 115 may be a photo viewer, which presents digital images for the user.
- the examples listed here are not meant to be limiting, and there are other system services 115 that may be available on the computing device 15 .
- the system services 115 may be trusted unsecure applications 90 that secure applications 95 are permitted to share or otherwise exchange data with.
- An example of a trusted unsecure application 90 may be an unsecure application 90 that is by default installed on the computing device 15 , such as by the manufacturer of the device 15 or a wireless carrier or other entity that provides services to the device 15 .
- Another example of a trusted unsecure application 90 may be an unsecure application 90 that is listed on an application whitelist for one or more secure applications 95 . By being part of the application whitelist, the trusted unsecure application 90 may be preapproved for data exchange with the relevant secure application(s) 95 . Additional information on application whitelisting can be found in U.S. patent application No. 61/973,898, filed on Apr. 2, 2014, which is incorporated by reference herein in its entirety.
- the secure applications 95 and the system architecture may be configured to enable at least some of the calls to the system server 40 to be intercepted.
- U.S. patent application No. 62/033,142 which was filed on Aug. 5, 2014 and is herein incorporated by reference in its entirety, describes a method and system in which some of the system classes are overridden by classes associated with the core secure application 100 , which can allow runtime hooks to be applied against certain system calls. Based on this technique, some of the calls that the secure applications 95 (or a system framework) make to the system services 115 can be intercepted and modified, a process that will described below.
- a secure application 95 can be configured to provide additional features that may not have been otherwise available prior to it being converted into a secure application 95 .
- a secure application 95 can be arranged to track the amount of data that it uses for a particular session. This process enables an administrator to determine data usage on a per-application basis.
- secure applications 95 may be managed in accordance with many other policies or configurations, as is known in the art.
- many system services 115 are default applications that are provided as part of the base configuration of the computing device 15 . The developer of the operating system that provides these system services 115 may not permit the system services 115 to be converted into secure applications 95 . As such, many system services 115 may remain as unsecure applications 90 on the computing device 15 . Accordingly, the operation of a system service 115 may not be amenable to being controlled or managed, as is the case with secure applications 95 . The relevance of this condition will be explained below.
- a hub application 120 may be part of the application layer 50 .
- the hub application 120 may serve as a connection point for any number of secure applications 95 to enable the secure applications 95 to connect to any suitable external entity, including various network components.
- the secure application 95 can request the hub application 120 to facilitate the communication.
- the hub application 120 can accept such requests from any of the secure applications 95 , including from a single secure application 95 at a time or from multiple secure applications simultaneously. In accordance with the description herein, such a technique can facilitate the accounting of data usage associated with secure applications 95 .
- the hub application 120 can be a daemon or some other process that runs in the background.
- the hub application 120 accepts requests from the secure applications 95 , it may be considered as part of the secure workspace 105 and may not be permitted to accept requests from the unsecure applications 90 . As an option, a similar arrangement can be made for the unsecure applications 90 , or, alternatively, the hub application 120 can be configured to accept requests from both secure applications 95 and unsecure applications 90 .
- the computing device 15 may contain personal applications and enterprise applications.
- the personal applications are designed for the personal interactions of a user, while the enterprise applications may be developed for the work or business interactions of a user.
- the enterprise applications in this setting may not necessarily be secure applications 95 , as described herein.
- a partition may be implemented in the computing device 15 to separate the personal applications from the enterprise applications. For example, a user may have separate log-ins for gaining access to the personal applications and to the enterprise applications. In this example, separate billing paths may be established for the personal applications and the enterprise applications, as is presented herein.
- a system 200 that shows the computing device 15 in communication with one or more remote servers 205 is shown.
- One or more communication networks 210 may facilitate the communications between the computing devices 15 and the remote servers 205 .
- the computing device 15 may be a mobile computing device, although the principles described herein may apply to desktop computers or other fixed equipment.
- a mobile computing device may be, for example, a smartphone, laptop, tablet or other devices that may be carried by an individual.
- the network(s) 210 may be composed of various types of components to support wireless or wired communications (including both).
- the network(s) 210 may also be configured to support local or wide area communications (or both).
- the remote servers 205 may host any number of web sites that offer content that may be retrieved by the computing device 15 and may also be configured to accept data from the computing device 15 . Because the servers 205 offer content, they may also be referred to as content providers, although the term “content provider” is certainly not limited to this particular example.
- the unsecure application 90 may sometimes forward the request to a relevant system service 115 . For example, if a user wishes to view a video associated with one of the remote servers 205 through an unsecure application 90 , the unsecure application 90 passes the request to a media player of the computing device 15 . The media player then retrieves the data from the appropriate server 205 and presents such data to the user.
- a similar request would normally be passed to the media player, as well.
- the media player would conventionally establish a connection with the relevant remote server 205 and would present the requested data to the user.
- the system services 115 are typically not permitted to be converted into secure applications 95 , implementing the feature of data accounting in them, as can be done with secure applications 95 , may not be possible. In this instance, difficulties are presented in determining the percentage of data usage that is associated with secure applications 95 in comparison to the consumption of data by unsecure applications 90 .
- the initial data request from the secure application 95 can be intercepted and modified prior to being passed to the media player.
- the media player (or other system service 115 ) can direct the request back to the secure application 95 , and a connection can be established between the secure application 95 and the appropriate remote server 205 to facilitate the exchange of data between the secure application 95 and the remote server 205 .
- This redirection of the request through the secure application 95 can enable an accounting of the amount of data that is associated with this particular session, a feature that can be incorporated into secure applications 95 . Accordingly, an accurate accounting of data usage associated with at least some or all secure applications 95 on the computing device 15 is now possible.
- the counting of the data associated with a secure application 95 is not limited to being performed by the secure application 95 or even the computing device 15 , as the calculation can be performed remotely.
- This arrangement can enable an entity to determine the percentage of data usage that is attributable to it and to the user on a personal basis. Because data usage may be segregated between enterprise use and personal use, the enterprise may be able to craft more accurate data plans with wireless carriers or other similar entities. Moreover, the user, who may own the computing device 15 , would understand that the user would not be charged for data usage associated with that user's work or business and that the user would only be paying for personal data consumption.
- a method 300 of data usage accounting is shown.
- the method 300 may include additional or even fewer steps or processes in comparison to what is illustrated in FIG. 3 .
- the method 300 is not necessarily limited to the chronological order that is shown in FIG. 3 .
- FIGS. 1 , 2 and 4 reference may be made to FIGS. 1 , 2 and 4 , although it is understood that the method 300 may be practiced with any other suitable systems and components and may take advantage of other suitable processes.
- a request to access data can be received via one of the secure applications in which the request is intended for a content provider via a system service.
- the request intended for the content provider via the system service can be intercepted, as shown at step 310 .
- the intercepted request can be modified, which can cause the system service to direct the request back to the secure application instead of the content provider.
- a connection can be established with the content provider for the request through the secure application to enable data usage accounting of data that is returned by the content provider, as shown at step 320 .
- step 325 content from the content provider can be received at the secure application, and the received content from the content provider can be forwarded to the system service for processing, as shown at step 330 .
- An amount of data that is carried over the established connection associated with the secure application can be determined, as shown at step 335 .
- a user may wish to access data through, for example, a secure application 95 that is installed on the computing device 15 .
- the user may desire to retrieve some type of content, such as video, through the secure application 95 .
- the content may need to be retrieved from one of the remote servers 205 .
- the data access request would be passed to the relevant system service 115 and the system service 115 would fetch the content from the remote server 205 .
- the data access request may be intercepted prior to being handled by the operating system and can be modified to direct the request back to the secure application 95 instead of the remote server 205 . Reference will be made to FIG. 4 to help explain this process.
- FIG. 4 an example of an interaction 400 between the secure application 95 , the system service 115 and the remote server 205 is shown.
- the data access request is received and is intercepted and modified.
- the data access request is for video that is stored at one of the remote servers 205 that is associated with a website or some other form of digital content
- the system service 115 is a media playback application.
- the API that is associated with the media playback service can be hooked.
- the uniform resource indicator (URI) related to this data request may be a uniform resource locator (URL) with the associated content available via the hypertext transfer protocol (HTTP) or the hypertext transfer protocol secure (HTTPS).
- HTTP hypertext transfer protocol
- HTTPS hypertext transfer protocol secure
- the URL may be changed prior to being passed to the system service 115 .
- the modification of the URL in one embodiment, may be based on a port number that is provided by the operating system.
- the secure application 95 may create a listening socket on a loopback interface by requesting a socket and port number from the operating system.
- the loopback interface can support inter-process or inter-app communications on the computing device 15 .
- the requested port may be a predetermined value or may be simply a request to the operating system to provide an available port number.
- the URL may be converted into a local-host URL that includes the assigned port number and the rest of the information from the original URL.
- the modified URL may then be passed across to the system service 115 , in this case, the media player.
- multiple listening sockets and ports may be requested from the operating system as part of this process.
- a user may select a link through a secure application 95 , which may have the following exemplary URL associated with it:
- the secure application 95 may request a socket and port value from the operating system, and the port value can factor into the modified URL.
- the original URL may be transformed into the following local-host URL:
- the port value “4444” is now part of the URL string, which can cause the system service 115 to point back to this port created by the secure application 95 .
- the modified URL can include the port value, and the remote information can be added as parameters in the modified URL.
- the secure application 95 can create a proxy when the data is initially requested through the secure application 95 .
- the proxy can act as the intermediary between the system service 115 and the remote server 205 . In doing so, the proxy may listen in on any sockets that were created for the overall modification of the data access request.
- each secure application 95 can be individually configured to generate the proxy for relevant data requests that it receives.
- the secure application 95 may record a copy of the information associated with the original data request and can map that information to the redirect address that has been created.
- the secure application 95 may record the information associated with the original URL in any suitable database, such as the memory 70 of FIG. 1 , and can map this information to the port that was assigned to the modified URL. This way, the secure application 95 can easily determine the original remote server 205 when it receives the modified URL.
- the information of the original data request may not need to be stored and mapped to the redirect address. In the URL example, the original information from the URL can simply be obtained from the modified URL because the original information may be part of the modified information.
- the modified data access request can cause the system service 115 to direct the request back to the secure application 95 , instead of the original remote server 205 . That is, the system service 115 will establish a connection with the secure application 95 via the port that the secure application 95 created.
- the secure application 95 is able to determine the original data access request and can establish a connection with the relevant content provider, such as an appropriate remote server 205 .
- the secure application 95 can determine the original URL request and can open a connection with the location specified by the original URL. This process is reflected in the third step of FIG. 4 .
- the secure application 95 may be configured to track data usage.
- the secure application 95 can determine an amount of data that is carried over the connection that is established with the remote server 205 . This can include both incoming (i.e., from remote server 205 to secure application 95 ) and outgoing (i.e., from secure application 95 to remote server 205 ) content.
- the calculation unit 77 of FIG. 1 can work with the secure application 95 to tally the amount of data consumed by this particular session.
- a cumulative amount of data usage for the secure application 95 over a certain time period can be determined. This process may also be conducted for all or at least some of the other secure applications 95 that are installed on the computing device 15 .
- the data usage associated with the secure applications 95 may also be counted at a location that is remote to the computing device 15 .
- the enterprise can determine the amount of data usage that is tied to each of its secure applications 95 . This feature can enable the enterprise to determine data usage on the device 15 that is solely attributable to it. As a result, data usage tracking associated with the secure applications can be segregated from data usage that originates from the unsecure applications.
- the connection that is established between the secure application 95 and the remote server 205 can be a secure connection.
- the secure application 95 can be configured to establish virtual private network (VPN) connections with remote locations.
- VPN virtual private network
- Such a VPN connection is individual to the secure application 95 and is different from a system-level VPN. If desired, however, the connection between the secure application 95 and the remote server 205 is not required to be a secure connection.
- the secure application 95 may use a system-level VPN.
- HTTPS traffic may also be tracked in accordance with the procedures presented herein.
- additional steps can be taken when dealing with HTTPS traffic to ensure accurate and complete accounting. For example, if a user is accessing an HTTPS link through the secure application 95 , the original URL may be modified similar to the HTTP examples above, but the connection between the system service 115 and the secure application 95 may be left in the open.
- the secure application 95 can convert the HTTPS request to an HTTP request when the secure application 95 modifies the URL for purposes of directing the system service 115 back to the secure application 95 . That is, the secure application 95 can change the connection type of the data request from a secure connection to an open connection when the data request is modified.
- the following HTTPS URL may be received:
- the secure application 95 can determine that this is an HTTPS request and can modify the URL.
- An exemplary conversion is presented here:
- the session between the secure application 95 and the remote server 205 can be a transport layer security (TLS) connection, which can terminate at the secure application 95 .
- TLS transport layer security
- the secure application 95 may be configured to arrange VPN connections in an individual manner.
- Such an application-level VPN can support any type of traffic that is exchanged between the secure application 95 and the remote server 205 , including both HTTP and HTTPS streams.
- the ability of the secure application 95 to provide an application-level VPN does not impede the ability of the secure application 95 to modify data access requests and then convert them back to their original form, as described above. Further, these techniques can be practiced if the secure application 95 is using a system-level VPN or is not relying on a VPN connection at all.
- the secure application 95 may be configured to account for these re-directs. For example, if the initial data request is an HTTP request and the remote server 205 returns an HTTP re-direct, the secure application 95 may transform that HTTP re-direct in accordance with the modification process described above. By doing so, the secure application 95 can ensure that the system service 115 establishes the new re-direct connection with the secure application 95 . As such, when the secure application 95 detects a re-direct, the secure application 95 can request another socket and port from the operating system to account for the new destination that originates from the re-direct. The secure application 95 can then open a connection between itself and the new (and appropriate) remote server 205 . This process can be expanded to account for re-direct playlists, such that socket/port pairs are generated when needed for the URLs that make up the playlists.
- the secure application 95 may be required to detect the re-directs in the incoming streams. If the original data access request is not based on a secure protocol, like HTTPS, then the secure application 95 is easily able to detect the re-directs. If the original request is based on a secure protocol, however, complications may arise because the traffic being streamed to the system service 115 may be encrypted. As noted above, when dealing with a secure protocol, the termination point for the secure connection can be placed at the secure application 95 , not the system service 115 . As a result, the secure application 95 can decrypt the incoming traffic and can detect the re-directs, similar to how it would for an unsecure protocol. Thus, as an example, re-directs can be handled for both HTTP and HTTPS.
- the overall total usage related to all or at least some of the secure applications 95 can be determined, which can allow the segregation of data consumption between secure and personal profiles, as described earlier. In this case, however, the modification of the data access requests is not required, and the system service may fetch data in its conventional manner. When available with the system services 115 , this feature may be useful for data accounting, particularly when application-level VPNs are not incorporated into the secure applications 95 .
- the secure application 95 may be a secure web browser, through which a user may attempt to retrieve some data.
- an application may work with the operating system of a computing device to establish a connection to an external entity, such as a web server.
- the application may be configured to generate calls for an application programming interface (API) defined by the portable operating system interface (POSIX).
- API application programming interface
- POSIX portable operating system interface
- the operating system can establish a connection to the external entity on behalf of the application.
- a method 500 for enabling data usage accounting is shown.
- the method 500 may include additional or even fewer steps or processes in comparison to what is illustrated in FIG. 5 .
- the method 500 is not necessarily limited to the chronological order that is shown in FIG. 5 .
- a request for a data session can be received through a secure application, and at step 510 , in response, a listening socket can be created.
- the request for the data session can be intercepted, as shown at step 515 , and the request for the data session can be modified to cause the request to be re-directed back to the secure application, as shown at step 520 .
- a connection can be initiated to enable retrieval of the data in response to the request and an accounting of the data session.
- the listening socket can be torn down.
- decision block 535 it can be determined whether a connection with a Wi-Fi network is in place. If no, the method 500 can resume at decision block 535 . If yes, a setting can be activated that prevents the request for the data session from being intercepted and modified, as shown at step 540 .
- FIG. 6 presents an example of an interaction 600 between a secure application 95 and the system server 40 with the secure framework 45 facilitating the operation.
- the secure framework 45 may be considered part of and can work in conjunction with the secure application 95 to carry out the operations described herein, reference may in some cases be made solely to the secure application 95 when explaining this interaction 600 for purposes of convenience.
- a user may be interacting with the secure application 95 , and the user may wish to retrieve some content from, for example, an external entity.
- the computing device 15 may have both secure applications 95 and unsecure applications 90 installed thereon.
- the secure application 95 may generate a request for a data session.
- the request may be a POSIX connect call, although the principles outlined herein are not limited to such an arrangement.
- This request may include addressing information that is intended to be used to establish the connection with the external entity. Examples of addressing information include the following arguments: socket (specifies the file descriptor associated with the socket); address (points to a sockaddr structure containing the peer address); and address_len (specifies the length of the sockaddr structure pointed to by the address argument. Other exemplary arguments and parameters may also be applicable here.
- the term “addressing information” is defined as data that is configured to facilitate or enable a connection with one or more destinations.
- This request may be from the secure application 95 or the system framework associated with the secure application 95 .
- the secure application 95 can generate a listening socket on the loopback interface—similar to the procedures previously described.
- the listening socket can be a temporary socket in that it can be torn down once it serves its purpose of establishing a connection through the secure application 95 .
- the secure application 95 can intercept the request for the data session. This interception can occur because the secure framework 45 can be shimmed between the system framework and the operating system and can be configured to recognize predetermined calls for modification or other processing, while allowing others to pass unfettered.
- the data session request can be modified by re-writing portions of the request based on the newly-created listening socket. For example, the addressing information of the connect call may be re-written with the addressing information associated with the listening socket. As shown in FIG. 6 , the modified data session request can then be passed to the system server 40 . This modified call may still be in the native format, or in the form that is normally used by the secure application 95 and other applications on the computing device 15 to make calls to the operating system. That is, the native version of the relevant function can be called at this stage, where it is modified to include the new addressing information for the listening socket.
- the original addressing information (or at least some portion of it) can be stored and assigned to the listening socket.
- the original addressing information includes the final destination address and can be used to establish the intended connection, as will be explained below.
- a return can be generated to inform the system framework or the secure application 95 that the requested connect is in progress.
- the redirection here can be transparent to the secure application 95 or the system framework. That is, no changes are required to be made to the secure application 95 or the system framework to enable the interception and modification of the data session request.
- These objects can continue to make their native calls when seeking to exchange data with an external entity, and they are unaware that their calls are being manipulated in this manner.
- transparent redirection of a request or “transparently redirecting a request” are defined as a redirection of a request in which the source of the request is unaware of its redirection, and examples of a request include a call, command or function.
- non redirection of a request or “natively redirecting a request” are defined as a redirection of a request in which the source of the request maintains its reliance on native or pre-existing protocols or structure to generate or to facilitate the request.
- connection between the secure application 95 and the external entity may support various types of formats or protocols.
- the connection to the external entity may be through an application-level virtual private network (VPN), as the secure application 95 may be configured to provide such a feature.
- the connection may also utilize a system-level VPN, if desired.
- the socket of the external entity can be the appropriate socket of the VPN, as opposed to a native socket for the back-end location.
- the connection with the external entity is not necessarily limited to being a secure connection, as unsecure connections may be used.
- the computing device 15 in which the previously described techniques may be practiced may include a Wi-Fi communications stack.
- the Wi-Fi stack can enable the device 15 to exchange data with external entities over a Wi-Fi network using any of the protocols within that family for which the device 15 is configured.
- a setting in the device may be activated to prevent the process of redirecting data access requests. That is, because users are typically permitted to access Wi-Fi networks for free, it may not be necessary to track data usage when the device 15 is using such a network, thereby obviating the need to intercept and modify the data access requests in accordance with the processes described above.
- the computing device 15 leaves the Wi-Fi network and returns to the billing network, the setting can be deactivated, and the process of data usage counting can begin again.
- the tracking of data usage may be limited to a particular network, such as a predefined cellular network.
- the processes described herein may only be executed on this predetermined network.
- the redirection process may not be carried out. For example, if the computing device 15 is roaming on a network, or operating on a network that is not its home network, the setting that prevents the redirection process may be activated, even though use of the roaming network may cause the user to incur data usage charges. Nonetheless, if desired, data usage tracking based on the techniques described herein may be conducted on roaming networks or Wi-Fi or other free-access networks.
- the counting or calculation of data can be performed at a location that is remote to the computing device 15 .
- an arrangement may be configured in which certain data sessions are facilitated by a remote relay to enable data tracking at the relay or some other suitable location.
- FIG. 7 an example of a system 700 that enables data usage accounting through a relay is illustrated.
- the system 700 can include one or more computing devices 15 —which may have both unsecure applications 90 and secure applications 95 installed thereon—and one or more remote servers 205 .
- the remote servers 205 and the computing devices 15 may exchange various forms of data with one another.
- one or more networks 210 may facilitate the exchange of data between the computing devices 15 and the remote servers 205 .
- the network(s) 210 may be composed of various types of components to support wireless or wired communications (including both).
- the network(s) 210 may also be configured to support local or wide area communications (or both).
- the network 210 may include one or more relay servers 705 , and at least some of the relay servers 705 may include a calculation unit 710 .
- the calculation unit 710 may be a part of the relay server 705 or may be an independent component that is communicatively coupled to the relay server 705 .
- connections may be established between any of the relay servers 705 and any of the computing devices 15 and between any of the relay servers 705 and any of the remote servers 205 .
- the data that is transferred between the computing devices 15 and the remote servers 205 may be calculated or counted, such as by the appropriate calculation units 710 .
- tracking may only be conducted for secure applications 95 or other processes associated with the enterprise and not the user's personal activities.
- the relay servers 705 may be associated with a predetermined network, such that the computing device 15 is directed to a server 705 in this particular network 210 .
- the use of the relay servers 705 (and hence, the calculation units 710 ) may be selective in nature. For example, this arrangement may only be utilized for secure applications 95 and when the computing device 15 is camped on a certain network 210 for service, such as a predetermined cellular network.
- a method 800 of enabling data usage accounting through a relay is illustrated.
- the method 800 may include additional or even fewer steps or processes in comparison to what is illustrated in FIG. 8 .
- the method 800 is not necessarily limited to the chronological order that is shown in FIG. 8 .
- a request for a data session can be received through a secure application.
- the request may include a final endpoint.
- the request for the data session can be intercepted, and the request can be modified to cause the request to be redirected back to the secure application, as shown at step 815 .
- a connection can be initiated with a relay server instead of the final endpoint such that data usage accounting for the data session is to be conducted at a remote location.
- the computing device can be authenticated with the relay server prior to permitting data exchange between the secure application and the relay server.
- the final endpoint can be provided to the relay server to enable the relay server to establish a connection with the final endpoint.
- data from the secure application may be buffered while the connection with the relay server or the final endpoint is being established.
- Data associated with the final endpoint may be counted such that a data usage amount is determined for the requesting secure application, as shown at step 840 .
- a report can be generated that details the data usage of the secure applications installed on the computing device.
- the method 800 can resume at decision block 850 . If yes, in response to such a determination, a setting can be activated that prevents the data session request to be redirected back to the secure application and the initiation of the connection with the relay server, as shown at step 855 .
- FIG. 9 shows an example of an interaction 900 among a secure application 95 (along with the secure framework 45 ), a relay server 705 (and calculation unit 710 ) and a remote server 205 .
- the secure framework 45 may be considered to be part of the secure application 95
- the calculation unit 710 may be part of the relay server 710 , although other suitable arrangements may apply to these principles.
- a user may initiate a data session request through a secure application 95 , which may be intercepted and modified to be redirected back to the secure application 95 .
- This process may be similar to the exemplary techniques described above with respect to re-writing URLs and addressing information. That is, the secure application 95 , via the secure framework 45 , may set up a listening socket on a loopback interface, and the relevant data can be re-written to cause the request to be redirected to the listening socket.
- the secure application 95 can initiate a connection with the relay server 705 .
- the relay server 705 which can be any suitable combination of hardware and software, can be used to initiate and establish a connection with the final endpoint of the data session request, which may be the remote server 205 .
- the secure application 95 can re-write the addressing information of the request with the addressing information of the listening socket of the loopback interface and can store the replaced addressing information.
- the stored addressing information may be the addressing information of the final endpoint.
- a return can be generated to inform the system framework or the secure application 95 that the requested connect is in progress.
- the secure application 95 may then generate an accepted or connected socket.
- the connected socket may enable data to be passed to and from the secure application 95 through the loopback interface.
- the listening socket may be torn down to preserve system resources, although such a step may be bypassed in other circumstances.
- the secure application 95 may generate a back-end socket for initiating and establishing the connection with, for example, the appropriate relay server 705 , which may be listening for connections on its public IP address.
- the connection protocol with the relay server 705 may be negotiated, which may include authentication of the computing device 15 or some other process, service or component that is part of the device 15 .
- the IP address of the computing device 15 may be provided to enable the authentication of the device 15 .
- any data that may be generated by the secure application 95 may be buffered, at least until, for example, the connection with the relay server 705 is established.
- the connection between the relevant socket of the secure application 95 and the connected socket of the loopback interface may be operatively the same as a connection with a final endpoint.
- a one-to-one mapping between the socket of the secure application 95 and the connected socket may exist.
- the secure application 95 may behave naturally and to support this feature, any portion of the data generated by the secure application 95 during the negotiation with the relay server 705 can be saved for eventual transmission to the relay server 705 .
- the secure application 95 can send the final endpoint of the data session request to the relay server 705 .
- the secure application 95 may, in accordance with the protocol of the relay server 705 , package the addressing information of the final endpoint as part of a payload for the relay server 705 .
- any buffered data from the secure application 95 may be sent to the relay server 705 .
- the relay server 705 can establish the connection with the remote server 205 (i.e., final endpoint) on behalf of the secure application 95 . If necessary, the relay server 705 may also buffer data during its negotiation with the remote server 205 .
- data exchanges may occur between the secure application 95 of the computing device 15 and the remote server 205 , via the relay server 705 .
- the buffered data may be held at the computing device 15 until the connection between the relay server 705 and the remote server 205 is completed.
- the data session may end, either through the secure application 95 , the relay server 705 , the remote server 205 or some other process or component.
- the components/processes may tear down the connections and release any relevant system resources.
- the secure application 95 may close the loopback interface (and any associated sockets) in the event the session is completed. These principles may also apply in the event that any of the connections are unable to be established in response to the initial request.
- uniform resource locators may be re-written, particularly in the case of calls being made to a system service 115 .
- the process of establishing the connection with the relay server 705 and the remote server 205 is similar to that described above. In this case, however, during the time the connection with the relay server 705 is being established, the secure application 95 can perform a domain name system (DNS) look-up of the original host name to determine the appropriate IP address for the final endpoint. Once the IP address is retrieved and the connection with the relay server 705 is established, the secure application 95 can provide the IP address as part of the addressing information that is packaged and sent to the relay server 705 . That is, the re-written URL may be resolved into an address that can be used to establish the connection with the appropriate remote server 205 through the relay server 705 .
- DNS domain name system
- any data that is exchanged between the secure application 95 and the remote server 205 may be routed through the relay server 705 .
- the relay server 705 can be configured to facilitate the remote tracking of data usage for the secure application 95 for this exchange, as well as other sessions in the future.
- the calculation unit 710 may determine the data usage for the secure application 95 , as well as other secure applications 95 , and can generate one or more reports that indicate the details of such usage.
- the data usage can be correlated with a particular computing device 15 through the received IP address of the device 15 .
- the report can include usage totals on an individual or group basis for any number of secure applications 95 . These reports may then be disseminated to the relevant parties for purposes of billing.
- a relay scheme can be leveraged to enable remote data counting for the computing device 15 .
- the counting of the data based on the exchanges with the external entity may be performed at the computing device 15 , such as through the secure application 95 that requested the session or a hub application 120 (see FIG. 1 ).
- the calculation units 710 may not necessarily be at the same location as the relay servers 705 , as the units 710 may be remote to both the computing device 15 and the relay servers 705 .
- any number of calculation units 710 may be associated with any number of relay servers 705 . In fact, these components may be grouped together in any suitable fashion.
- any number of relay servers 705 and calculation units 710 may be grouped together for an enterprise in which the users of the computing devices 15 being tracked are associated with the enterprise, such as employees of the enterprise. These groupings may be isolated from one another to prevent comingling of data streams associated with different enterprises to ensure accurate billing.
- this process of establishing a connection with a relay server 705 to enable data exchange with a final destination and for tracking and counting the data associated with such sessions may be restricted to secure applications 95 , such as those installed on the computing device 15 . As such, this procedure may not be performed for any data sessions associated with unsecure applications 90 . Because the secure applications 95 may likely be associated with or sponsored by an enterprise, the process presented here can allow for separate data usage charges for the computing device 15 with respect to a user's personal data and that affiliated with, for example, the user's employer. Of course, such an arrangement may be implemented for any application, including individual applications or for certain groups of applications, and may not necessarily be limited only to secure applications 95 .
- the process of establishing the connection with the relay server 705 as described above may be transparent to the secure application 95 .
- this connection may be based on a protocol that is non-native to the secure application 95 .
- a secure application 95 is created from a target application that is typically available to one or more parties for download, such as through an app store or some other electronic storefront.
- the original portions of the target application that make up the secure application 95 may be unaware of the connection with the relay server 705 and such portions may continue to make calls in their native formats.
- the secure framework 45 of the secure application 95 may be configured to abstract the necessary calls and protocol associated with establishing the connection with the relay server 705 . As such, the original developer is relieved of having to change any of the original code to facilitate the relaying arrangement or to operate in accordance with the non-native protocol of the relay server 705 .
- the protocol for the connection to the relay server 705 can be configured to traverse firewalls or other security features to permit access to protected internal resources.
- this connection may be based on a layer 4 solution (transport) per the open systems interconnection (OSI) model, as opposed to tunneling or networking technologies associated with layer 3 of the OSI model.
- OSI open systems interconnection
- This arrangement reduces the complexities of the connection because there are no addressing resolution issues, as would be the case for a VPN solution. That is, the transport layer solution obviates the need to deploy a networking infrastructure, and the non-native protocol can be resolved by the secure framework 45 . Almost any type of data may flow over the relay connection, as well, including encrypted and unencrypted traffic.
- the secure application 95 may be configured to connect to an external entity in multiple ways.
- the secure application 95 may use blocking or non-blocking sockets or transmission control protocol (TCP) or user datagram protocol (UDP) connections.
- TCP transmission control protocol
- UDP user datagram protocol
- the solutions presented here can accommodate all or at least a portion of the possible ways a secure application 95 may be designed to connect to the external entity. That is, the secure framework 45 may be constructed to intercept the various networking calls of the secure application 95 and to perform the redirects and connection-initiation with the relay server 705 in accordance with the protocol of the relay server 705 , as described above.
- a plurality of predetermined disparate networking calls or functions of the secure applications 95 that are based on various connection modes may be identified. These calls or functions may then be manipulated when they are activated in accordance with the descriptions above to permit data exchange over a relay connection that is based on a single connection mode.
- the execution of this relaying process may hinge on the type of network to which the computing device 15 is connected. For example, if the computing device 15 is camped on a Wi-Fi network or some other public, private or free access network, a setting may be activated that prevents the data session request from being redirected back to the secure application or the initiation of the connection with the relay server 705 , or both.
- the relaying process may only be conducted if the computing device 15 is camped on a predetermined network, such as its home cellular network. As such, if the device 15 is roaming, the setting described above may be activated.
- these embodiments are not meant to be limiting, as the techniques presented here may be applicable to any one of the networks with which the computing device 15 may conduct communications.
- each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
- the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
Abstract
Description
- This patent application is a continuation-in-part of U.S. patent application Ser. No. 14/608,662, filed on Jan. 29, 2015, which is a continuation-in-part of U.S. patent application Ser. No. 14/573,601, filed on Dec. 17, 2014, which is a continuation of U.S. patent application Ser. No. 14/478,066, filed on Sep. 5, 2014, now issued as U.S. Pat. No. 8,938,547 on Jan. 20, 2015, each of which is incorporated herein by reference in its entirety.
- The present description relates to methods and systems for data usage accounting and more particularly, to methods and systems for data usage accounting in computing devices with secure enterprise applications and personal applications.
- In an effort to increase productivity, many employers allow their workers to conduct business related to the employer on their personal mobile devices. In some cases, employers also provide some of their employees with company-issued mobile devices. In either arrangement, an employer understands that a single device may include sensitive data related to that employer in addition to data that is personal to the employee. Several advances have been made in an effort to protect an employer's data in these circumstances. For example, OpenPeak Inc. of Boca Raton, Fla. has developed solutions that enable a mobile device to include both enterprise and personal data but that isolate the enterprise data from the personal data. As part of these solutions, an employee may download secure applications that may be used to conduct transactions related to the enterprise.
- Because the employee's device may include both personal and secure applications, it may be desirable to bifurcate the process of data usage accounting. In particular, the employer may wish to receive an accounting of the data usage associated with the secure applications that have been installed on the employee's device on behalf of the employer. This accounting, however, needs to be separate from data accounting that may be attributable to unsecure applications that the employee may have installed for personal use.
- A method for enabling data usage accounting through a relay is described herein. The method can be practiced on a computing device that has secure applications and unsecure applications installed thereon. Initially, a request for a data session that includes a final endpoint can be received through a secure application. The request for the data session can be intercepted and modified to cause the request to be redirected back to the secure application. In addition, a connection with a relay component can be initiated instead of the final endpoint such that data usage accounting for the data session is to be conducted at a remote location.
- In one example, the final endpoint can be provided to the relay server to enable the relay component to establish a connection with the final endpoint. In another example, the connection with the relay component that is initiated can be transparent to the secure application, and the connection with the relay component that is initiated may be based on a protocol that is non-native to the secure application. This arrangement can mean that some portion of the secure application, such as the original code of the target application that comprises the secure application, may be abstracted away from the connection with the relay component, while some other portion of the secure application, like a secure framework and/or other code that has been integrated with the target application to create the secure application, may enable the abstraction and may facilitate the connection with the relay component. As such, the original code of the target application does not have to be restructured, altered or re-written to account for the redirection of the request or for the (incompatible) protocol of the relay component.
- In one embodiment, data from the secure application can be buffered while the connection with the relay component or the final endpoint is being established. Initiating the connection with the relay component may include providing an internet protocol (IP) address of the computing device to the relay component. Further, the connection that is initiated with the relay component is configured to support the transport of both unencrypted data and encrypted data for the secure application.
- Another method of enabling segregated data usage accounting on a computing device is described herein. At first, a secure application that is installed on the device can be launched in which the device may have unsecure applications installed thereon in addition to the secure application. Through the secure application, content may be requested from a final destination. In response, the content request may be redirected back to the secure application, and a connection with a relay server can be initiated to enable retrieval of the requested content from the final destination and to enable an accounting of data of the retrieved content. In one arrangement, the initiation of the connection with the relay server only occurs for the secure application and not for the unsecure applications.
- Additionally, the final destination and an IP address of the computing device may be provided to the relay server. Like the previous method, the connection of the relay server may be based on a protocol that is non-native to the secure application and redirecting the content request back to the secure application may include natively redirecting the content request back to the secure application. Natively redirecting may refer to the secure application relying on native calls when initially generating the data session request. Also like the previous method, initiating the connection with the relay server may include transparently initiating the relay connection with the relay server.
- In one embodiment, the content request can be redirected back to the secure application for a plurality of predetermined networking calls from the secure application. As an example, the connection with the relay server may be predefined and able to accommodate each of the predetermined networking calls. As another example, initiating the connection with the relay server may include authenticating the computing device with the relay server prior to permitting data exchange between the secure application and the relay server. In some cases, data from the secure application can be buffered while the connection with the relay server is established.
- In another arrangement, it can be determined whether the computing device is operating on a Wi-Fi communication network. In response to the determination, a setting can be activated that prevents the content request from being redirected back to the secure application and the initiation of the connection with the relay server.
- A method of counting data associated with secure applications is also described herein. In the method, a request can be received to establish a relay connection with a requesting secure application installed on a computing device that includes both secure applications and unsecure applications. In response, the computing device can be authenticated. If the device is authenticated, the relay connection with the requesting secure application can be established, and a connection with a final destination specified by the requesting secure application can be initiated. In addition, data associated with the final destination connection can be counted such that a data usage amount is determined for the requesting secure application. The counting of the data may only be performed for the secure applications.
- Further, data associated with the final destination connection may be returned to the secure application over the relay connection. As with the previous methods, the relay connection may be based on a protocol that is non-native to the requesting secure application. As another example, receiving the request to establish the relay connection may include receiving the final destination specified by the requesting secure application and an IP address of the computing device. Establishing the relay connection with the requesting secure application may include establishing the relay connection with the requesting secure application only if the computing device is operating on a predetermined cellular network. This predetermined cellular network may be owned, operated or maintained by the same entity that performs the counting of the data associated with the final destination. A report that details the data usage of the secure applications installed on the computing device may also be generated.
- A computing device is also described herein. The computing device may include a display that is configured to display both secure and unsecure applications that are installed on the computing device and may also include a processing unit that is communicatively coupled to the display. The processing unit can be configured to receive a data access request through one of the secure applications in which the data access request may include a final destination. The processing unit may also be configured to cause a redirection of the data access request back to the secure application and to cause a connection with a relay server to be initiated to enable an accounting of data associated with the data access request. The relay server can be configured to establish a connection with the final destination specified by the secure application. The processing unit can be further configured to cause the redirection of the data access request and the connection with the relay server for the secure applications but not for the unsecure applications.
- In one arrangement, the computing device can include a Wi-Fi communications stack that is communicatively coupled to the processing unit. The processing unit can be further configured to cause a setting to be activated to prevent the redirection of the data access request and the connection with the relay server if the computing device is connected to a Wi-Fi network through the Wi-Fi communications stack. This feature may be applicable to other networks. For example, the setting may be activated if the computing device is camped on a roaming network or a network in which data usage charges are not applicable or not otherwise incurred for access or use.
- The computing device may also include memory that is communicatively coupled to the processing unit. In this case, the processing unit can be further configured to cause data from the secure application to be buffered in the memory while the connection with the relay server is established. As another example, similar to the methods described above, the connection with the relay server may be based on a protocol that is non-native to the requesting secure application, and the processing unit is further configured to cause the connection with the relay server to be initiated transparently with respect to the requesting secure application. In one embodiment, the connection with the relay server can be configured to support unencrypted traffic between the secure application and the final destination. In another embodiment, the processing unit can be further configured to cause the connection with the relay server to be initiated by causing a listening socket on a loopback interface to be generated and a back-end socket to be generated.
- Further features and advantage, as well as the structure and operation of various embodiments, are described in detail below with reference to the accompanying drawings. It is noted that this description is not limited to the specific embodiments presented herein. Such embodiments are provided for illustrative purposes only. Additional embodiments will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein.
- The accompanying drawings, which are incorporated herein and form part of the specification, illustrate embodiments of the subject matter described herein and, together with the description, further serve to explain the principles of such subject matter and to enable a person skilled in the relevant art(s) to make and use the subject matter.
-
FIG. 1 illustrates an example of a block diagram of the system architecture of a computing device that is configured to practice the subject matter described herein. -
FIG. 2 illustrates an example of a system that shows the computing device ofFIG. 1 in communication with one or more remote servers. -
FIG. 3 illustrates an example of a method for data usage accounting. -
FIG. 4 illustrates an example of an interaction among a secure application, a remote server and a system service. -
FIG. 5 illustrates another example of a method for enabling data usage accounting. -
FIG. 6 illustrates an example of an interaction between a secure application and a system server. -
FIG. 7 illustrates an example of a system that shows the computing device ofFIG. 1 in communication with one or more relay servers and one or more remote servers. -
FIG. 8 illustrates an example of a method for data usage accounting through a relay. -
FIG. 9 illustrates an example of an interaction among a secure application, a relay server and a remote server. - The features and advantages of the embodiments herein will become more apparent from the detailed description set forth below when taken in conjunction with the drawings, in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements.
- The following detailed description refers to the accompanying drawings that illustrate exemplary embodiments; however, the scope of the present claims is not limited to these embodiments. Thus, embodiments beyond those shown in the accompanying drawings, such as modified versions of the illustrated embodiments, may nevertheless be encompassed by the present claims.
- References in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” “one arrangement,” “an arrangement” or the like, indicate that the embodiment or arrangement described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment or arrangement. Furthermore, when a particular feature, structure, or characteristic is described in connection with an embodiment or arrangement, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments or arrangements whether or not explicitly described. The word “among,” as it is used throughout this description, should not necessarily be interpreted as requiring exchanges or interaction among three or more applications, irrespective of grammar rules. The word “a” is not necessarily limited to a singular instance of something, as it may mean one or more.
- Several definitions that apply throughout this document will now be presented. The term “exemplary” as used herein is defined as an example or an instance of an object, apparatus, system, entity, composition, method, step or process. The term “communicatively coupled” is defined as a state in which two or more components are connected such that communication signals are able to be exchanged (directly or indirectly) between the components on a unidirectional or bidirectional (or multi-directional) manner, either wirelessly, through a wired connection or a combination of both. A “computing device” is defined as a component that is configured to perform some process or function for a user and includes both mobile and non-mobile devices. The term “computer readable storage medium” is defined as one or more components that are configured to store instructions that are to be executed by one or more processing units.
- An “application” is defined as a program or programs that perform one or more particular tasks on a computing device. Examples of an application include programs that may present a user interface for interaction with a user or that may run in the background of an operating environment that may not present a user interface while in the background. The term “operating system” is defined as a collection of software components that directs a computing device's operations, including controlling and scheduling the execution of other programs and managing storage, input/output and communication resources. A “processing unit” or “processor” is defined as one or more components that execute sets of instructions, and the components may be disparate parts or part of a whole unit and may not necessarily be located in the same physical location.
- The terms “memory,” “memory element” or “repository” are defined as one or more components that are configured to store data, either on a temporary or persistent basis. The term “shared memory” is memory, a memory element or a repository that is accessible (directly or indirectly) by two or more applications or other processes. An “interface” is defined as a component or a group of components that enable(s) a device to communicate with one or more different devices, whether through hard-wired connections, wireless connections or a combination of both. An “input/output device” is defined as a device that is configured to at least receive input from a user or a machine that is intended to cause some action or other effect on a component with which the input device is associated. A “display” is defined as an apparatus that presents information in visual form and may or may not receive input through a touch screen.
- The term “file system” is defined as an abstraction that is used to organize, store and retrieve data. The term “secure application” is defined as an application that has been modified or enhanced from its original form to restrict communications between the application and unauthorized programs, applications or devices and to restrict operation of the application based on policy or to alter, augment or add features associated with the operation of the application (or any combination thereof) or—in the case of the application not being modified—an application that is part of a secure workspace that is protected from data exchanges with applications that are part of a personal or an unsecure workspace. A “target application” is defined as an application that has been selected for conversion into a secure application. An “unsecure application” is defined as an application that has not undergone the modification required to convert the application into a secure application and, as such, is unable to obtain data from a secure application in view of an obfuscation scheme employed by that secure application or is an application that is not part of a secure workspace and is restricted from accessing data from the secure workspace. A “hub application” is defined as an application that receives input from one or more secure applications and establishes connections with external entities on behalf of the secure applications that provide such input. A “virtual machine” is defined as a platform-independent execution environment that emulates a physical machine.
- The term “personal workspace” is defined as a workspace, profile or partition that is configured to contain the personal content and unsecure applications or other unsecure programs associated with a user of a computing device on which the personal workspace sits. The term “secure workspace” is defined as a workspace, profile or partition that is configured to contain secure content, secure applications and other secure programs and requires some form of authentication to be accessed.
- The term “content provider” is defined as a site that offers data for consumption by a computing device. The term “system service” is defined as an application or a set of applications on a computing device that offer one or more features for access by an unsecure application or a secure application. A “secure connection” is defined as a connection in which at least some portion of the data that is exchanged over the connection is encrypted or otherwise obfuscated from unauthorized parties, entities or processes. To “consume data” means to receive data from a source, transmit data to a recipient or both. An “external network entity” means an entity—such as a component or a service—that is part of a network that is external to or located remotely from a computing device. An “external entity” is defined as an entity to which an application wishes to establish a connection. A “final endpoint” or “final destination” is the external entity with which an application or process intends to establish a connection based on a data request. A “relay server” is a server that facilitates a connection between a computing device and a remote or content server or some other final endpoint or destination.
- As explained earlier, solutions have been developed that enable a mobile device to include both personal and enterprise data. Accordingly, it may be useful to segregate data usage accounting associated with the enterprise side from usage associated with the personal space. This process can enable an enterprise to determine how much data that is consumed by the mobile device is the responsibility of the enterprise.
- In view of this need, a method and system for enabling data usage accounting is described herein. As an example, the method can be practiced on a computing device that has secure applications and unsecure applications installed thereon. A request for a data session that includes a final endpoint or destination can be received through a secure application. The request for the data session can be intercepted and modified to cause the request to be re-directed back to the secure application. In addition, a connection with a relay server can be initiated instead of the final endpoint such that data usage accounting for the data session is to be conducted at a remote location. Moreover, this technique can be limited to the secure applications on the computing device, meaning the unsecure applications are unaffected. Virtually any type of data can be tracked and counted under this scheme, including digitized voice signals and other forms of communication, including messaging.
- Through this arrangement, data tracking can be conducted for secure applications or other applications associated with an enterprise or organization that are installed on a user's computing device based on that user's relationship with that enterprise or organization. This tracking can also be kept apart from any accounting performed for a user's personal usage, such as that associated with unsecure applications on the device. Accordingly, an enterprise can accurately determine its accountability for data usage by a computing device that includes both enterprise and personal data. This solution may be particularly useful for counting the data of the sessions at a remote location.
- Referring to
FIG. 1 , an example of a block diagram 10 of the system architecture of acomputing device 15 is shown. In this arrangement, thecomputing device 15 can include ahardware layer 20, akernel layer 25 and alibraries layer 30, which may include a plurality of native libraries. This architecture may also include aruntime environment 35, asystem server 40, asecure framework 45 and anapplication layer 50. - In one arrangement, the
hardware layer 20 may include any number and type of hardware components, such as one ormore displays 55, one or more input/output (I/O)devices 60, one ormore processing units 65 and any suitable type and number ofmemory devices 70 and interfaces 75. Examples of the I/O devices 60 include speakers, microphones, physical keypads, etc. In addition, thedisplay 55 can serve as an I/O device 60 in the form of a touch-screen display. Theinterface 75 can be configured to support various types of communications, including wired or wireless and through any suitable type of standards and protocols. As an example, theinterface 75 can include one or more cellular communication stacks and one or more Wi-Fi communication stacks to enable thecomputing device 15 to conduct bidirectional communications with one or more cellular networks and one or more Wi-Fi networks, respectively. In one arrangement, thehardware layer 20 may also include acalculation unit 77, which can be configured to calculate or determine (or at least assist in the determination or calculation of) data usage totals associated with any type of session conducted on thecomputing device 15, including those originating from theapplication layer 50. Thecalculation unit 77 may be a separate component or may be part of theprocessing unit 65. In another arrangement, thecalculation unit 77 may be remotely located such that it is external to thecomputing device 15. In such a case, information regarding the sessions may be sent to a remote location that supports thecalculation unit 77, and theunit 77 can perform its calculation functions once it receives the information. - In addition, the
runtime environment 35 can support any suitable number ofvirtual machines 80 andcore libraries 85, although a virtual machine may not be needed in other arrangements, such as where native code is employed. Thesystem server 40 can serve as an abstraction for the underlying layers for the applications in theapplication layer 50 and can provide numerous system services for the applications. As is known in the art, a system framework, which may be part of an application's process, can be employed to enable interaction with thesystem server 40 or other components. In this example, theapplication layer 50 may include any number ofunsecure applications 90 and any number ofsecure applications 95, one of which may be a coresecure application 100. Thesecure framework 45 can function in a manner similar to that of a conventional framework, but thesecure framework 45 can facilitate the encapsulation of a number ofsecure applications 95 to selectively restrict their data exchanges with theunsecure applications 90. In particular, thesecure framework 45 can be configured to intercept and modify certain calls from thesecure applications 95, prior to passing them to thesystem server 40. In one arrangement, these calls may be from thesecure applications 95 or the system framework. - In many cases, the
unsecure applications 90 are associated with the personal data of a user of thecomputing device 15. In contrast, thesecure applications 95 are typically associated with confidential or otherwise sensitive information that belongs to or is associated with an enterprise or some other organization, and the user of thedevice 15 may work for such an entity. In one arrangement, a virtual partition or workspace may be created on thecomputing device 15 in which the secure applications 95 (and the core secure application 100) are part of asecure workspace 105, and theunsecure applications 90 are part of apersonal workspace 110. In certain cases, a user may be required to provide authentication information, such as a password, PIN or biometric data, to gain access to thesecure workspace 105 or to any individual or group ofsecure applications 95. - In some cases, some of the
unsecure applications 90 may besystem services 115 that provide features or functionality that is associated with the type of operating system that is installed on thecomputing device 15. In some cases, thesystem service 115 may be an application or a set of applications that live in the background and support different tasks associated with the operating system of thedevice 15.System services 115 may facilitate the exposure of low-level functions of thehardware layer 20 and thekernel layer 25 to the higher-level application layer 50.Many system services 115 may operate with elevated privileges, in comparison to other applications. For example, acommon system service 115 that is typically found oncomputing devices 15 is a media player, which processes and presents media data for a user. Another example of asystem service 115 may be a photo viewer, which presents digital images for the user. As those skilled in the art will appreciate, the examples listed here are not meant to be limiting, and there areother system services 115 that may be available on thecomputing device 15. - In another embodiment, the system services 115 may be trusted
unsecure applications 90 that secureapplications 95 are permitted to share or otherwise exchange data with. An example of a trustedunsecure application 90 may be anunsecure application 90 that is by default installed on thecomputing device 15, such as by the manufacturer of thedevice 15 or a wireless carrier or other entity that provides services to thedevice 15. Another example of a trustedunsecure application 90 may be anunsecure application 90 that is listed on an application whitelist for one or moresecure applications 95. By being part of the application whitelist, the trustedunsecure application 90 may be preapproved for data exchange with the relevant secure application(s) 95. Additional information on application whitelisting can be found in U.S. patent application No. 61/973,898, filed on Apr. 2, 2014, which is incorporated by reference herein in its entirety. - As noted above, the
secure applications 95 and the system architecture may be configured to enable at least some of the calls to thesystem server 40 to be intercepted. There are several processes available for such a process. For example, U.S. patent application No. 62/033,142, which was filed on Aug. 5, 2014 and is herein incorporated by reference in its entirety, describes a method and system in which some of the system classes are overridden by classes associated with the coresecure application 100, which can allow runtime hooks to be applied against certain system calls. Based on this technique, some of the calls that the secure applications 95 (or a system framework) make to the system services 115 can be intercepted and modified, a process that will described below. - As another example, U.S. patent application Ser. No. 14/205,661, which was filed on Mar. 12, 2014, and U.S. patent application Ser. No. 14/205,686, which was also filed on Mar. 12, 2014, each of which is herein incorporated by reference in its entirety, present methods and systems by which target applications are encapsulated as secure applications for distribution. Once installed and initiated on a
computing device 15, the encapsulated application described in these references is loaded into memory, and runtime hooks are set to enable application programming interface (API) calls from the secure application to be intercepted. Similar to the description above, at least some of the calls to the system services 115 from the secure applications 95 (or a system framework) can be modified once they are intercepted. Other information on the process of intercepting certain functions of secure applications can be found in U.S. Pat. No. 8,695,060, issued on Apr. 8, 2014, which is also herein incorporated by reference in its entirety. - As described in these incorporated references, a
secure application 95 can be configured to provide additional features that may not have been otherwise available prior to it being converted into asecure application 95. As an example, asecure application 95 can be arranged to track the amount of data that it uses for a particular session. This process enables an administrator to determine data usage on a per-application basis. Of course,secure applications 95 may be managed in accordance with many other policies or configurations, as is known in the art. - While many applications (or target applications) are able to be converted into
secure applications 95, there are some applications that may not be so modified. For example,many system services 115 are default applications that are provided as part of the base configuration of thecomputing device 15. The developer of the operating system that provides thesesystem services 115 may not permit the system services 115 to be converted intosecure applications 95. As such,many system services 115 may remain asunsecure applications 90 on thecomputing device 15. Accordingly, the operation of asystem service 115 may not be amenable to being controlled or managed, as is the case withsecure applications 95. The relevance of this condition will be explained below. - In one embodiment, a
hub application 120 may be part of theapplication layer 50. Thehub application 120 may serve as a connection point for any number ofsecure applications 95 to enable thesecure applications 95 to connect to any suitable external entity, including various network components. In particular, if asecure application 95 requires a connection with an external entity, thesecure application 95 can request thehub application 120 to facilitate the communication. Thehub application 120 can accept such requests from any of thesecure applications 95, including from a singlesecure application 95 at a time or from multiple secure applications simultaneously. In accordance with the description herein, such a technique can facilitate the accounting of data usage associated withsecure applications 95. In one example, thehub application 120 can be a daemon or some other process that runs in the background. Because thehub application 120 accepts requests from thesecure applications 95, it may be considered as part of thesecure workspace 105 and may not be permitted to accept requests from theunsecure applications 90. As an option, a similar arrangement can be made for theunsecure applications 90, or, alternatively, thehub application 120 can be configured to accept requests from bothsecure applications 95 andunsecure applications 90. - In an alternative arrangement, the
computing device 15 may contain personal applications and enterprise applications. In this example, the personal applications are designed for the personal interactions of a user, while the enterprise applications may be developed for the work or business interactions of a user. The enterprise applications in this setting may not necessarily besecure applications 95, as described herein. In addition, a partition may be implemented in thecomputing device 15 to separate the personal applications from the enterprise applications. For example, a user may have separate log-ins for gaining access to the personal applications and to the enterprise applications. In this example, separate billing paths may be established for the personal applications and the enterprise applications, as is presented herein. - Referring to
FIG. 2 , asystem 200 that shows thecomputing device 15 in communication with one or moreremote servers 205 is shown. One ormore communication networks 210 may facilitate the communications between thecomputing devices 15 and theremote servers 205. In this example, thecomputing device 15 may be a mobile computing device, although the principles described herein may apply to desktop computers or other fixed equipment. In addition, a mobile computing device may be, for example, a smartphone, laptop, tablet or other devices that may be carried by an individual. The network(s) 210 may be composed of various types of components to support wireless or wired communications (including both). The network(s) 210 may also be configured to support local or wide area communications (or both). Theremote servers 205 may host any number of web sites that offer content that may be retrieved by thecomputing device 15 and may also be configured to accept data from thecomputing device 15. Because theservers 205 offer content, they may also be referred to as content providers, although the term “content provider” is certainly not limited to this particular example. - When operating the
computing device 15, a user may wish to access data from any one of theremote servers 205. In some cases, the data access request may originate from anunsecure application 90. In the standard flow, theunsecure application 90 may sometimes forward the request to arelevant system service 115. For example, if a user wishes to view a video associated with one of theremote servers 205 through anunsecure application 90, theunsecure application 90 passes the request to a media player of thecomputing device 15. The media player then retrieves the data from theappropriate server 205 and presents such data to the user. - In the case of a
secure application 95, a similar request would normally be passed to the media player, as well. In addition, the media player would conventionally establish a connection with the relevantremote server 205 and would present the requested data to the user. But because the system services 115 are typically not permitted to be converted intosecure applications 95, implementing the feature of data accounting in them, as can be done withsecure applications 95, may not be possible. In this instance, difficulties are presented in determining the percentage of data usage that is associated withsecure applications 95 in comparison to the consumption of data byunsecure applications 90. - A solution is described here, however, that enables such an accounting to take place. In particular, the initial data request from the
secure application 95 can be intercepted and modified prior to being passed to the media player. In view of the modification, the media player (or other system service 115) can direct the request back to thesecure application 95, and a connection can be established between thesecure application 95 and the appropriateremote server 205 to facilitate the exchange of data between thesecure application 95 and theremote server 205. This redirection of the request through thesecure application 95 can enable an accounting of the amount of data that is associated with this particular session, a feature that can be incorporated intosecure applications 95. Accordingly, an accurate accounting of data usage associated with at least some or allsecure applications 95 on thecomputing device 15 is now possible. As previously mentioned, the counting of the data associated with asecure application 95 is not limited to being performed by thesecure application 95 or even thecomputing device 15, as the calculation can be performed remotely. - This arrangement can enable an entity to determine the percentage of data usage that is attributable to it and to the user on a personal basis. Because data usage may be segregated between enterprise use and personal use, the enterprise may be able to craft more accurate data plans with wireless carriers or other similar entities. Moreover, the user, who may own the
computing device 15, would understand that the user would not be charged for data usage associated with that user's work or business and that the user would only be paying for personal data consumption. - Referring to
FIG. 3 , a method 300 of data usage accounting is shown. The method 300, however, may include additional or even fewer steps or processes in comparison to what is illustrated inFIG. 3 . Moreover, the method 300 is not necessarily limited to the chronological order that is shown inFIG. 3 . In describing the method 300, reference may be made toFIGS. 1 , 2 and 4, although it is understood that the method 300 may be practiced with any other suitable systems and components and may take advantage of other suitable processes. - At
step 305, in a setting that includes both secure applications and unsecure applications, a request to access data can be received via one of the secure applications in which the request is intended for a content provider via a system service. The request intended for the content provider via the system service can be intercepted, as shown atstep 310. Atstep 315, the intercepted request can be modified, which can cause the system service to direct the request back to the secure application instead of the content provider. A connection can be established with the content provider for the request through the secure application to enable data usage accounting of data that is returned by the content provider, as shown atstep 320. Additionally, atstep 325, content from the content provider can be received at the secure application, and the received content from the content provider can be forwarded to the system service for processing, as shown atstep 330. An amount of data that is carried over the established connection associated with the secure application can be determined, as shown atstep 335. - Referring to
FIGS. 1 and 2 , a user may wish to access data through, for example, asecure application 95 that is installed on thecomputing device 15. As an example, the user may desire to retrieve some type of content, such as video, through thesecure application 95. The content may need to be retrieved from one of theremote servers 205. Conventionally, the data access request would be passed to therelevant system service 115 and thesystem service 115 would fetch the content from theremote server 205. Here, however, the data access request may be intercepted prior to being handled by the operating system and can be modified to direct the request back to thesecure application 95 instead of theremote server 205. Reference will be made toFIG. 4 to help explain this process. - In
FIG. 4 , an example of aninteraction 400 between thesecure application 95, thesystem service 115 and theremote server 205 is shown. In the initial step, the data access request is received and is intercepted and modified. In this example, the data access request is for video that is stored at one of theremote servers 205 that is associated with a website or some other form of digital content, and thesystem service 115 is a media playback application. As such, in accordance with earlier discussion, the API that is associated with the media playback service can be hooked. - Based on conventional techniques, the uniform resource indicator (URI) related to this data request may be a uniform resource locator (URL) with the associated content available via the hypertext transfer protocol (HTTP) or the hypertext transfer protocol secure (HTTPS). As part of the modification process, the URL may be changed prior to being passed to the
system service 115. The modification of the URL, in one embodiment, may be based on a port number that is provided by the operating system. For example, thesecure application 95 may create a listening socket on a loopback interface by requesting a socket and port number from the operating system. As is known in the art, the loopback interface can support inter-process or inter-app communications on thecomputing device 15. The requested port may be a predetermined value or may be simply a request to the operating system to provide an available port number. Continuing with the example, the URL may be converted into a local-host URL that includes the assigned port number and the rest of the information from the original URL. The modified URL may then be passed across to thesystem service 115, in this case, the media player. As will be explained later, multiple listening sockets and ports may be requested from the operating system as part of this process. - Consider the following specific but non-limiting example. A user may select a link through a
secure application 95, which may have the following exemplary URL associated with it: -
- http://www.youtube.com/watch?v=uWHRqspFke0
- As noted earlier, the
secure application 95 may request a socket and port value from the operating system, and the port value can factor into the modified URL. In this example, the original URL may be transformed into the following local-host URL: -
- http://localhost:4444?t=www.youtube.com&p=watch&r=v=uWHRqspFke0
- Here, the port value “4444” is now part of the URL string, which can cause the
system service 115 to point back to this port created by thesecure application 95. In addition, as can be seen, the original hostname can be encoded in the “t=” parameter, the original path can be encoded in the “p=” parameter and the original parameters can be encoded in the “r=” parameter. Thus, the modified URL can include the port value, and the remote information can be added as parameters in the modified URL. A similar example for an HTTPS request will be presented below. - In some arrangements, as part of this process, the
secure application 95 can create a proxy when the data is initially requested through thesecure application 95. The proxy can act as the intermediary between thesystem service 115 and theremote server 205. In doing so, the proxy may listen in on any sockets that were created for the overall modification of the data access request. As an example, eachsecure application 95 can be individually configured to generate the proxy for relevant data requests that it receives. - In another arrangement, the
secure application 95 may record a copy of the information associated with the original data request and can map that information to the redirect address that has been created. For example, in the example above, thesecure application 95 may record the information associated with the original URL in any suitable database, such as thememory 70 ofFIG. 1 , and can map this information to the port that was assigned to the modified URL. This way, thesecure application 95 can easily determine the originalremote server 205 when it receives the modified URL. In an alternative embodiment, the information of the original data request may not need to be stored and mapped to the redirect address. In the URL example, the original information from the URL can simply be obtained from the modified URL because the original information may be part of the modified information. - Moving back to
FIG. 4 , in the second step, the modified data access request can cause thesystem service 115 to direct the request back to thesecure application 95, instead of the originalremote server 205. That is, thesystem service 115 will establish a connection with thesecure application 95 via the port that thesecure application 95 created. In view of the mapping process described above, thesecure application 95 is able to determine the original data access request and can establish a connection with the relevant content provider, such as an appropriateremote server 205. In particular, based on the example above, thesecure application 95 can determine the original URL request and can open a connection with the location specified by the original URL. This process is reflected in the third step ofFIG. 4 . At this point, thesecure application 95 can fetch the content from theremote server 205 and can return this content to thesystem service 115 for processing, as shown in the fourth step. The user may then consume the requested data similar to a normal session. As will be explained below, there may be scenarios where a similar re-routing process can be performed to enable data usage tracking but without the invocation of asystem service 115. - As previously noted, the
secure application 95 may be configured to track data usage. In this case, thesecure application 95 can determine an amount of data that is carried over the connection that is established with theremote server 205. This can include both incoming (i.e., fromremote server 205 to secure application 95) and outgoing (i.e., fromsecure application 95 to remote server 205) content. For example, thecalculation unit 77 ofFIG. 1 can work with thesecure application 95 to tally the amount of data consumed by this particular session. In addition, because each session associated with this particularsecure application 95 can be tracked, a cumulative amount of data usage for thesecure application 95 over a certain time period can be determined. This process may also be conducted for all or at least some of the othersecure applications 95 that are installed on thecomputing device 15. As previously mentioned, the data usage associated with thesecure applications 95 may also be counted at a location that is remote to thecomputing device 15. - If the
secure applications 95 are associated with an enterprise, the enterprise can determine the amount of data usage that is tied to each of itssecure applications 95. This feature can enable the enterprise to determine data usage on thedevice 15 that is solely attributable to it. As a result, data usage tracking associated with the secure applications can be segregated from data usage that originates from the unsecure applications. - In one embodiment, the connection that is established between the
secure application 95 and theremote server 205 can be a secure connection. For example, as is known in the art, thesecure application 95 can be configured to establish virtual private network (VPN) connections with remote locations. Such a VPN connection is individual to thesecure application 95 and is different from a system-level VPN. If desired, however, the connection between thesecure application 95 and theremote server 205 is not required to be a secure connection. In addition, in another embodiment, thesecure application 95 may use a system-level VPN. - The description above may apply to other protocols that facilitate the exchange of data. For example, HTTPS traffic may also be tracked in accordance with the procedures presented herein. In one embodiment, additional steps can be taken when dealing with HTTPS traffic to ensure accurate and complete accounting. For example, if a user is accessing an HTTPS link through the
secure application 95, the original URL may be modified similar to the HTTP examples above, but the connection between thesystem service 115 and thesecure application 95 may be left in the open. - Consider the following example. If an HTTPS request is generated, the
secure application 95 can convert the HTTPS request to an HTTP request when thesecure application 95 modifies the URL for purposes of directing thesystem service 115 back to thesecure application 95. That is, thesecure application 95 can change the connection type of the data request from a secure connection to an open connection when the data request is modified. Referring back to the URL example above, the following HTTPS URL may be received: -
- https://www.youtube.com/watch?v=uWHRqspFke0
- The
secure application 95 can determine that this is an HTTPS request and can modify the URL. An exemplary conversion is presented here: -
- http://localhost:4444?s=www.youtube.com&p=watch&r=v=uWHRqspFke0
- As reflected in the string, the HTTPS request is converted to an HTTP request. As a result, the connection between the
system service 115 and thesecure application 95 can be out in the open. As will be explained below, this feature can enable thesecure application 95 to handle re-directs from theremote server 205. - As can also be seen in the string, the “s=” parameter can provide an indication that the original URL was an HTTPS request. Accordingly, when the
secure application 95 establishes the connection between it and theremote server 205, an HTTPS connection can be created. In other words, thesystem service 115 may not be responsible for establishing the HTTPS connection, and thesecure application 95 may be in control of any security-related handshaking and getting the encryption keys in place. The session between thesecure application 95 and theremote server 205 can be a transport layer security (TLS) connection, which can terminate at thesecure application 95. - As explained earlier, the
secure application 95 may be configured to arrange VPN connections in an individual manner. Such an application-level VPN can support any type of traffic that is exchanged between thesecure application 95 and theremote server 205, including both HTTP and HTTPS streams. In other words, the ability of thesecure application 95 to provide an application-level VPN does not impede the ability of thesecure application 95 to modify data access requests and then convert them back to their original form, as described above. Further, these techniques can be practiced if thesecure application 95 is using a system-level VPN or is not relying on a VPN connection at all. - As is known in the art, some initial data access requests are answered with a re-direct, which instructs the requesting source to another destination to retrieve the desired content. For example, in the case of an HTTP request, the requesting device may receive an HTTP re-direct from the server, which causes the device to generate another HTTP request based on the re-direct destination. In addition, in some cases, a URL playlist may be sent from the server, which may include a plurality of URLs. This particular feature may support HTTP live-streaming, a protocol that enables a client to select from a number of different alternate streams containing the same material encoded at a variety of data rates, which can allow the streaming session to adapt to the available data rate.
- In one arrangement, the
secure application 95 may be configured to account for these re-directs. For example, if the initial data request is an HTTP request and theremote server 205 returns an HTTP re-direct, thesecure application 95 may transform that HTTP re-direct in accordance with the modification process described above. By doing so, thesecure application 95 can ensure that thesystem service 115 establishes the new re-direct connection with thesecure application 95. As such, when thesecure application 95 detects a re-direct, thesecure application 95 can request another socket and port from the operating system to account for the new destination that originates from the re-direct. Thesecure application 95 can then open a connection between itself and the new (and appropriate)remote server 205. This process can be expanded to account for re-direct playlists, such that socket/port pairs are generated when needed for the URLs that make up the playlists. - As can be gleaned from this example, the
secure application 95 may be required to detect the re-directs in the incoming streams. If the original data access request is not based on a secure protocol, like HTTPS, then thesecure application 95 is easily able to detect the re-directs. If the original request is based on a secure protocol, however, complications may arise because the traffic being streamed to thesystem service 115 may be encrypted. As noted above, when dealing with a secure protocol, the termination point for the secure connection can be placed at thesecure application 95, not thesystem service 115. As a result, thesecure application 95 can decrypt the incoming traffic and can detect the re-directs, similar to how it would for an unsecure protocol. Thus, as an example, re-directs can be handled for both HTTP and HTTPS. - In some cases, other components may assist in the calculation of data for purposes of usage accounting. For example, some
system services 115 may offer notifications based on certain events that may be related to data usage. In one particular example, thesecure applications 95 can register for certain callbacks from the system services 115 that are equipped to provide such notifications. As an example, if a data session is initiated through asecure application 95, thesystem service 115 can provide one or more notifications that inform thesecure application 95 of the start of the session and its eventual ending. Statistics related to the amount of data that was consumed during the session can be incorporated into the notifications, which thesecure application 95 can use to track its data usage. The overall total usage related to all or at least some of thesecure applications 95 can be determined, which can allow the segregation of data consumption between secure and personal profiles, as described earlier. In this case, however, the modification of the data access requests is not required, and the system service may fetch data in its conventional manner. When available with the system services 115, this feature may be useful for data accounting, particularly when application-level VPNs are not incorporated into thesecure applications 95. - The description herein has been presented primarily in terms of a
secure application 95 handling the modification of data requests and the data usage tracking. The description, however, is not so limited. In particular, these features can be implemented into an unsecure application such that data usage can be tracked for these types of applications on an individual basis. Similarly, the system service that is involved in this process is not limited to a media player. In fact, any system service that is involved in the exchange of data with a remote location may be applicable to the description provided herein. For example, other system services that apply here may include a texting application, a dialer or any other application that facilitates or otherwise supports voice communications, a video or camera application, or a map application or other application that supports mapping features. In fact, the description herein may apply to any type of application, whether secure or unsecure, that may involve the consumption of content or the use of services in which it may be necessary to distinguish between personal use of such content and services and secure or workspace or enterprise use of the content and services. - In some cases, it may not be necessary to invoke the
system service 115 to handle a request for a data session. That is, the request for the data session may not require the launching of a separate application to handle the request. For example, thesecure application 95 may be a secure web browser, through which a user may attempt to retrieve some data. As is known in the art, in prior art cases, an application may work with the operating system of a computing device to establish a connection to an external entity, such as a web server. In a typical mobile device setting, the application may be configured to generate calls for an application programming interface (API) defined by the portable operating system interface (POSIX). In response, the operating system can establish a connection to the external entity on behalf of the application. - Similar to the description above, techniques can be implemented that enable
secure applications 95 to have such calls natively redirected back to them for the purpose of establishing a connection with the appropriate external entity and for enabling an accounting of the data session. This process can also make possible a scheme in which data usage forsecure applications 95 is counted separately from that associated withunsecure applications 90. - Referring to
FIG. 5 , amethod 500 for enabling data usage accounting is shown. Themethod 500, however, may include additional or even fewer steps or processes in comparison to what is illustrated inFIG. 5 . Moreover, themethod 500 is not necessarily limited to the chronological order that is shown inFIG. 5 . In describing themethod 500, reference may be made to the drawings attached hereto, although it is understood that themethod 500 may be practiced with any other suitable systems and components and may take advantage of other suitable processes. - At
step 505, a request for a data session can be received through a secure application, and atstep 510, in response, a listening socket can be created. The request for the data session can be intercepted, as shown atstep 515, and the request for the data session can be modified to cause the request to be re-directed back to the secure application, as shown atstep 520. Atstep 525, a connection can be initiated to enable retrieval of the data in response to the request and an accounting of the data session. Atstep 530, the listening socket can be torn down. In addition, atdecision block 535, it can be determined whether a connection with a Wi-Fi network is in place. If no, themethod 500 can resume atdecision block 535. If yes, a setting can be activated that prevents the request for the data session from being intercepted and modified, as shown atstep 540. - To help explain the
method 500, reference will be made toFIG. 6 , which presents an example of aninteraction 600 between asecure application 95 and thesystem server 40 with thesecure framework 45 facilitating the operation. Although thesecure framework 45 may be considered part of and can work in conjunction with thesecure application 95 to carry out the operations described herein, reference may in some cases be made solely to thesecure application 95 when explaining thisinteraction 600 for purposes of convenience. Initially, a user may be interacting with thesecure application 95, and the user may wish to retrieve some content from, for example, an external entity. As noted earlier, thecomputing device 15 may have bothsecure applications 95 andunsecure applications 90 installed thereon. - In response to the user interaction, the
secure application 95 may generate a request for a data session. As an example, the request may be a POSIX connect call, although the principles outlined herein are not limited to such an arrangement. This request may include addressing information that is intended to be used to establish the connection with the external entity. Examples of addressing information include the following arguments: socket (specifies the file descriptor associated with the socket); address (points to a sockaddr structure containing the peer address); and address_len (specifies the length of the sockaddr structure pointed to by the address argument. Other exemplary arguments and parameters may also be applicable here. In addition, the term “addressing information” is defined as data that is configured to facilitate or enable a connection with one or more destinations. This request may be from thesecure application 95 or the system framework associated with thesecure application 95. In either case, in response, thesecure application 95 can generate a listening socket on the loopback interface—similar to the procedures previously described. In one arrangement, the listening socket can be a temporary socket in that it can be torn down once it serves its purpose of establishing a connection through thesecure application 95. - Once the listening socket is created, the
secure application 95 can intercept the request for the data session. This interception can occur because thesecure framework 45 can be shimmed between the system framework and the operating system and can be configured to recognize predetermined calls for modification or other processing, while allowing others to pass unfettered. In any event, the data session request can be modified by re-writing portions of the request based on the newly-created listening socket. For example, the addressing information of the connect call may be re-written with the addressing information associated with the listening socket. As shown inFIG. 6 , the modified data session request can then be passed to thesystem server 40. This modified call may still be in the native format, or in the form that is normally used by thesecure application 95 and other applications on thecomputing device 15 to make calls to the operating system. That is, the native version of the relevant function can be called at this stage, where it is modified to include the new addressing information for the listening socket. - As part of the modification process, the original addressing information (or at least some portion of it) can be stored and assigned to the listening socket. The original addressing information includes the final destination address and can be used to establish the intended connection, as will be explained below. As another part of this process, a return can be generated to inform the system framework or the
secure application 95 that the requested connect is in progress. - When the operating system receives the data session request, the operating system can redirect the data session request back to the
secure application 95, as opposed to the intended final destination address. In particular, the data session request is returned to the listening socket based on the re-written addressing information that replaced the original addressing information. In this case, the operating system can wire up a connection between the relevant socket of thesecure application 95 and the listening socket through the loopback interface. Once the redirected connection is established on the listening socket, thesecure application 95 can retrieve the original addressing information and can initiate and establish the connection with the external entity, using the original addressing information. Specifically, a connect socket can be generated, and this connect socket can be used to establish a connection with the appropriate socket of the external entity. Further, once the connection with the intended external entity has been initiated (or completed), thesecure application 95 can tear down the listening socket to return system resources. - In this case, similar to the process associated with the system service redirection described above, the redirection here can be transparent to the
secure application 95 or the system framework. That is, no changes are required to be made to thesecure application 95 or the system framework to enable the interception and modification of the data session request. These objects can continue to make their native calls when seeking to exchange data with an external entity, and they are unaware that their calls are being manipulated in this manner. The terms “transparent redirection of a request” or “transparently redirecting a request” are defined as a redirection of a request in which the source of the request is unaware of its redirection, and examples of a request include a call, command or function. The terms “native redirection of a request” or “natively redirecting a request” are defined as a redirection of a request in which the source of the request maintains its reliance on native or pre-existing protocols or structure to generate or to facilitate the request. - The connection between the
secure application 95 and the external entity may support various types of formats or protocols. In some cases, the connection to the external entity may be through an application-level virtual private network (VPN), as thesecure application 95 may be configured to provide such a feature. The connection may also utilize a system-level VPN, if desired. In this case, the socket of the external entity can be the appropriate socket of the VPN, as opposed to a native socket for the back-end location. Moreover, the connection with the external entity is not necessarily limited to being a secure connection, as unsecure connections may be used. - As noted earlier, the
computing device 15 in which the previously described techniques may be practiced may include a Wi-Fi communications stack. The Wi-Fi stack can enable thedevice 15 to exchange data with external entities over a Wi-Fi network using any of the protocols within that family for which thedevice 15 is configured. In some cases, it may not be necessary to track data usage associated with secure applications 95 (or even unsecure applications 90) when thedevice 15 is camped on a Wi-Fi network. In fact, it may not be necessary to do so when thedevice 15 is operating on any non-cellular network or other networks that do not bill users for access. In this instance, when thedevice 15 is using a Wi-Fi network or other non-billable or free network for data access, a setting in the device may be activated to prevent the process of redirecting data access requests. That is, because users are typically permitted to access Wi-Fi networks for free, it may not be necessary to track data usage when thedevice 15 is using such a network, thereby obviating the need to intercept and modify the data access requests in accordance with the processes described above. When thecomputing device 15 leaves the Wi-Fi network and returns to the billing network, the setting can be deactivated, and the process of data usage counting can begin again. - In another arrangement, the tracking of data usage may be limited to a particular network, such as a predefined cellular network. Thus, the processes described herein may only be executed on this predetermined network. When the
computing device 15 is operating on any other network, the redirection process may not be carried out. For example, if thecomputing device 15 is roaming on a network, or operating on a network that is not its home network, the setting that prevents the redirection process may be activated, even though use of the roaming network may cause the user to incur data usage charges. Nonetheless, if desired, data usage tracking based on the techniques described herein may be conducted on roaming networks or Wi-Fi or other free-access networks. - As previously noted, the counting or calculation of data can be performed at a location that is remote to the
computing device 15. For example, an arrangement may be configured in which certain data sessions are facilitated by a remote relay to enable data tracking at the relay or some other suitable location. Referring toFIG. 7 , an example of asystem 700 that enables data usage accounting through a relay is illustrated. Thesystem 700 can include one ormore computing devices 15—which may have bothunsecure applications 90 andsecure applications 95 installed thereon—and one or moreremote servers 205. Theremote servers 205 and thecomputing devices 15 may exchange various forms of data with one another. Similar toFIG. 2 , one ormore networks 210 may facilitate the exchange of data between thecomputing devices 15 and theremote servers 205. The network(s) 210 may be composed of various types of components to support wireless or wired communications (including both). The network(s) 210 may also be configured to support local or wide area communications (or both). - In one arrangement, the
network 210 may include one ormore relay servers 705, and at least some of therelay servers 705 may include acalculation unit 710. Thecalculation unit 710 may be a part of therelay server 705 or may be an independent component that is communicatively coupled to therelay server 705. In either case, connections may be established between any of therelay servers 705 and any of thecomputing devices 15 and between any of therelay servers 705 and any of theremote servers 205. As will be explained further below, when such connections are established, the data that is transferred between thecomputing devices 15 and theremote servers 205 may be calculated or counted, such as by theappropriate calculation units 710. To enable the segregation of data usage accounting between enterprise and personal use, such tracking may only be conducted forsecure applications 95 or other processes associated with the enterprise and not the user's personal activities. - As mentioned above, there may be
numerous networks 210 involved to handle the exchange of data between thecomputing devices 15 and theremote servers 205. Therelay servers 705, however, may be associated with a predetermined network, such that thecomputing device 15 is directed to aserver 705 in thisparticular network 210. Moreover, the use of the relay servers 705 (and hence, the calculation units 710) may be selective in nature. For example, this arrangement may only be utilized forsecure applications 95 and when thecomputing device 15 is camped on acertain network 210 for service, such as a predetermined cellular network. - Referring to
FIG. 8 , amethod 800 of enabling data usage accounting through a relay is illustrated. Themethod 800, however, may include additional or even fewer steps or processes in comparison to what is illustrated inFIG. 8 . Moreover, themethod 800 is not necessarily limited to the chronological order that is shown inFIG. 8 . In describing themethod 800, reference may be made to the drawings attached hereto, although it is understood that themethod 800 may be practiced with any other suitable systems and components and may take advantage of other suitable processes. - At
step 805, on a computing device that has secure applications and unsecure applications installed thereon, a request for a data session can be received through a secure application. The request may include a final endpoint. Atstep 810, the request for the data session can be intercepted, and the request can be modified to cause the request to be redirected back to the secure application, as shown atstep 815. Atstep 820, a connection can be initiated with a relay server instead of the final endpoint such that data usage accounting for the data session is to be conducted at a remote location. - In addition, at
step 825, the computing device can be authenticated with the relay server prior to permitting data exchange between the secure application and the relay server. Atstep 830, the final endpoint can be provided to the relay server to enable the relay server to establish a connection with the final endpoint. Atstep 835, data from the secure application may be buffered while the connection with the relay server or the final endpoint is being established. Data associated with the final endpoint may be counted such that a data usage amount is determined for the requesting secure application, as shown atstep 840. Atstep 845, a report can be generated that details the data usage of the secure applications installed on the computing device. Additionally, atdecision block 850, it can be determined whether the computing device is operating on a Wi-Fi communication network. If not, themethod 800 can resume atdecision block 850. If yes, in response to such a determination, a setting can be activated that prevents the data session request to be redirected back to the secure application and the initiation of the connection with the relay server, as shown atstep 855. - To help explain the
method 800, reference will be made toFIG. 9 , which shows an example of aninteraction 900 among a secure application 95 (along with the secure framework 45), a relay server 705 (and calculation unit 710) and aremote server 205. As previously explained, thesecure framework 45 may be considered to be part of thesecure application 95, and thecalculation unit 710 may be part of therelay server 710, although other suitable arrangements may apply to these principles. - As an example, a user may initiate a data session request through a
secure application 95, which may be intercepted and modified to be redirected back to thesecure application 95. This process may be similar to the exemplary techniques described above with respect to re-writing URLs and addressing information. That is, thesecure application 95, via thesecure framework 45, may set up a listening socket on a loopback interface, and the relevant data can be re-written to cause the request to be redirected to the listening socket. Here, however, thesecure application 95 can initiate a connection with therelay server 705. Therelay server 705, which can be any suitable combination of hardware and software, can be used to initiate and establish a connection with the final endpoint of the data session request, which may be theremote server 205. - For example, when the data session request is intercepted, the
secure application 95 can re-write the addressing information of the request with the addressing information of the listening socket of the loopback interface and can store the replaced addressing information. The stored addressing information may be the addressing information of the final endpoint. As before, a return can be generated to inform the system framework or thesecure application 95 that the requested connect is in progress. When the operating system establishes the connection between the socket of thesecure application 95 and the listening socket, thesecure application 95 may then generate an accepted or connected socket. The connected socket may enable data to be passed to and from thesecure application 95 through the loopback interface. As an example, after the connected socket is generated, the listening socket may be torn down to preserve system resources, although such a step may be bypassed in other circumstances. - In one arrangement, when the connection is accepted on the listening socket, the
secure application 95 may generate a back-end socket for initiating and establishing the connection with, for example, theappropriate relay server 705, which may be listening for connections on its public IP address. As part of initiating the connection with therelay server 705, the connection protocol with therelay server 705 may be negotiated, which may include authentication of thecomputing device 15 or some other process, service or component that is part of thedevice 15. As an example, the IP address of thecomputing device 15 may be provided to enable the authentication of thedevice 15. - While the connection between the
secure application 95 and therelay server 705 is being negotiated, any data that may be generated by thesecure application 95 may be buffered, at least until, for example, the connection with therelay server 705 is established. In particular, the connection between the relevant socket of thesecure application 95 and the connected socket of the loopback interface may be operatively the same as a connection with a final endpoint. In view of this connection, a one-to-one mapping between the socket of thesecure application 95 and the connected socket may exist. As such, thesecure application 95 may behave naturally and to support this feature, any portion of the data generated by thesecure application 95 during the negotiation with therelay server 705 can be saved for eventual transmission to therelay server 705. - In one arrangement, once the connection with the
relay server 705 is established, thesecure application 95 can send the final endpoint of the data session request to therelay server 705. For example, thesecure application 95 may, in accordance with the protocol of therelay server 705, package the addressing information of the final endpoint as part of a payload for therelay server 705. In one arrangement, any buffered data from thesecure application 95 may be sent to therelay server 705. Therelay server 705 can establish the connection with the remote server 205 (i.e., final endpoint) on behalf of thesecure application 95. If necessary, therelay server 705 may also buffer data during its negotiation with theremote server 205. Once the connection is established between therelay server 705 and theremote server 205, data exchanges may occur between thesecure application 95 of thecomputing device 15 and theremote server 205, via therelay server 705. In an alternative arrangement, the buffered data may be held at thecomputing device 15 until the connection between therelay server 705 and theremote server 205 is completed. - Eventually, the data session may end, either through the
secure application 95, therelay server 705, theremote server 205 or some other process or component. In either case, the components/processes may tear down the connections and release any relevant system resources. As an example, thesecure application 95 may close the loopback interface (and any associated sockets) in the event the session is completed. These principles may also apply in the event that any of the connections are unable to be established in response to the initial request. - As noted previously, uniform resource locators (URL) may be re-written, particularly in the case of calls being made to a
system service 115. The process of establishing the connection with therelay server 705 and theremote server 205 is similar to that described above. In this case, however, during the time the connection with therelay server 705 is being established, thesecure application 95 can perform a domain name system (DNS) look-up of the original host name to determine the appropriate IP address for the final endpoint. Once the IP address is retrieved and the connection with therelay server 705 is established, thesecure application 95 can provide the IP address as part of the addressing information that is packaged and sent to therelay server 705. That is, the re-written URL may be resolved into an address that can be used to establish the connection with the appropriateremote server 205 through therelay server 705. - In either arrangement, any data that is exchanged between the
secure application 95 and theremote server 205 may be routed through therelay server 705. As such, therelay server 705 can be configured to facilitate the remote tracking of data usage for thesecure application 95 for this exchange, as well as other sessions in the future. For example, thecalculation unit 710 may determine the data usage for thesecure application 95, as well as othersecure applications 95, and can generate one or more reports that indicate the details of such usage. As an example, the data usage can be correlated with aparticular computing device 15 through the received IP address of thedevice 15. The report can include usage totals on an individual or group basis for any number ofsecure applications 95. These reports may then be disseminated to the relevant parties for purposes of billing. - As illustrated here, a relay scheme can be leveraged to enable remote data counting for the
computing device 15. There are other alternatives, however, that may apply. For example, the counting of the data based on the exchanges with the external entity may be performed at thecomputing device 15, such as through thesecure application 95 that requested the session or a hub application 120 (seeFIG. 1 ). Moreover, thecalculation units 710 may not necessarily be at the same location as therelay servers 705, as theunits 710 may be remote to both thecomputing device 15 and therelay servers 705. In addition, any number ofcalculation units 710 may be associated with any number ofrelay servers 705. In fact, these components may be grouped together in any suitable fashion. For example, any number ofrelay servers 705 andcalculation units 710 may be grouped together for an enterprise in which the users of thecomputing devices 15 being tracked are associated with the enterprise, such as employees of the enterprise. These groupings may be isolated from one another to prevent comingling of data streams associated with different enterprises to ensure accurate billing. - As explained earlier, this process of establishing a connection with a
relay server 705 to enable data exchange with a final destination and for tracking and counting the data associated with such sessions may be restricted to secureapplications 95, such as those installed on thecomputing device 15. As such, this procedure may not be performed for any data sessions associated withunsecure applications 90. Because thesecure applications 95 may likely be associated with or sponsored by an enterprise, the process presented here can allow for separate data usage charges for thecomputing device 15 with respect to a user's personal data and that affiliated with, for example, the user's employer. Of course, such an arrangement may be implemented for any application, including individual applications or for certain groups of applications, and may not necessarily be limited only to secureapplications 95. - In another arrangement, the process of establishing the connection with the
relay server 705 as described above may be transparent to thesecure application 95. As another example, this connection may be based on a protocol that is non-native to thesecure application 95. As is known in the art, asecure application 95 is created from a target application that is typically available to one or more parties for download, such as through an app store or some other electronic storefront. The original portions of the target application that make up thesecure application 95 may be unaware of the connection with therelay server 705 and such portions may continue to make calls in their native formats. This principle also applies to the system framework. Thesecure framework 45 of thesecure application 95, however, may be configured to abstract the necessary calls and protocol associated with establishing the connection with therelay server 705. As such, the original developer is relieved of having to change any of the original code to facilitate the relaying arrangement or to operate in accordance with the non-native protocol of therelay server 705. - In one embodiment, the protocol for the connection to the
relay server 705 can be configured to traverse firewalls or other security features to permit access to protected internal resources. For example, this connection may be based on a layer 4 solution (transport) per the open systems interconnection (OSI) model, as opposed to tunneling or networking technologies associated with layer 3 of the OSI model. This arrangement reduces the complexities of the connection because there are no addressing resolution issues, as would be the case for a VPN solution. That is, the transport layer solution obviates the need to deploy a networking infrastructure, and the non-native protocol can be resolved by thesecure framework 45. Almost any type of data may flow over the relay connection, as well, including encrypted and unencrypted traffic. - The
secure application 95 may be configured to connect to an external entity in multiple ways. For example, thesecure application 95 may use blocking or non-blocking sockets or transmission control protocol (TCP) or user datagram protocol (UDP) connections. The solutions presented here can accommodate all or at least a portion of the possible ways asecure application 95 may be designed to connect to the external entity. That is, thesecure framework 45 may be constructed to intercept the various networking calls of thesecure application 95 and to perform the redirects and connection-initiation with therelay server 705 in accordance with the protocol of therelay server 705, as described above. Thus, in one arrangement, a plurality of predetermined disparate networking calls or functions of thesecure applications 95 that are based on various connection modes may be identified. These calls or functions may then be manipulated when they are activated in accordance with the descriptions above to permit data exchange over a relay connection that is based on a single connection mode. - In some cases, the execution of this relaying process may hinge on the type of network to which the
computing device 15 is connected. For example, if thecomputing device 15 is camped on a Wi-Fi network or some other public, private or free access network, a setting may be activated that prevents the data session request from being redirected back to the secure application or the initiation of the connection with therelay server 705, or both. In addition, the relaying process may only be conducted if thecomputing device 15 is camped on a predetermined network, such as its home cellular network. As such, if thedevice 15 is roaming, the setting described above may be activated. Of course, these embodiments are not meant to be limiting, as the techniques presented here may be applicable to any one of the networks with which thecomputing device 15 may conduct communications. - While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be understood by those skilled in the relevant art(s) that various changes in form and details may be made therein without departing from the spirit and scope of the subject matter as defined in the appended claims. Accordingly, the breadth and scope of the present subject matter should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
- The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
Claims (22)
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/615,799 US20160071040A1 (en) | 2014-09-05 | 2015-02-06 | Method and system for enabling data usage accounting through a relay |
US14/641,795 US9100390B1 (en) | 2014-09-05 | 2015-03-09 | Method and system for enrolling and authenticating computing devices for data usage accounting |
US14/669,120 US9106538B1 (en) | 2014-09-05 | 2015-03-26 | Method and system for enabling data usage accounting through a relay |
US14/802,701 US9350818B2 (en) | 2014-09-05 | 2015-07-17 | Method and system for enabling data usage accounting for unreliable transport communication |
US14/822,150 US20160072786A1 (en) | 2014-09-05 | 2015-08-10 | Method and system for enabling data usage accounting through a relay |
US15/658,015 US10410154B2 (en) | 2014-09-05 | 2017-07-24 | Method and system for enabling data usage accounting through a relay |
US16/533,094 US10943198B2 (en) | 2014-09-05 | 2019-08-06 | Method and system for enabling data usage accounting through a relay |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/478,066 US8938547B1 (en) | 2014-09-05 | 2014-09-05 | Method and system for data usage accounting in a computing device |
US14/573,601 US9232012B1 (en) | 2014-09-05 | 2014-12-17 | Method and system for data usage accounting in a computing device |
US14/608,662 US9232013B1 (en) | 2014-09-05 | 2015-01-29 | Method and system for enabling data usage accounting |
US14/615,799 US20160071040A1 (en) | 2014-09-05 | 2015-02-06 | Method and system for enabling data usage accounting through a relay |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/608,662 Continuation-In-Part US9232013B1 (en) | 2014-09-05 | 2015-01-29 | Method and system for enabling data usage accounting |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/641,795 Continuation-In-Part US9100390B1 (en) | 2014-09-05 | 2015-03-09 | Method and system for enrolling and authenticating computing devices for data usage accounting |
US14/669,120 Continuation US9106538B1 (en) | 2014-09-05 | 2015-03-26 | Method and system for enabling data usage accounting through a relay |
Publications (1)
Publication Number | Publication Date |
---|---|
US20160071040A1 true US20160071040A1 (en) | 2016-03-10 |
Family
ID=53763385
Family Applications (5)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/615,799 Abandoned US20160071040A1 (en) | 2014-09-05 | 2015-02-06 | Method and system for enabling data usage accounting through a relay |
US14/669,120 Active US9106538B1 (en) | 2014-09-05 | 2015-03-26 | Method and system for enabling data usage accounting through a relay |
US14/822,150 Abandoned US20160072786A1 (en) | 2014-09-05 | 2015-08-10 | Method and system for enabling data usage accounting through a relay |
US15/658,015 Active US10410154B2 (en) | 2014-09-05 | 2017-07-24 | Method and system for enabling data usage accounting through a relay |
US16/533,094 Active US10943198B2 (en) | 2014-09-05 | 2019-08-06 | Method and system for enabling data usage accounting through a relay |
Family Applications After (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/669,120 Active US9106538B1 (en) | 2014-09-05 | 2015-03-26 | Method and system for enabling data usage accounting through a relay |
US14/822,150 Abandoned US20160072786A1 (en) | 2014-09-05 | 2015-08-10 | Method and system for enabling data usage accounting through a relay |
US15/658,015 Active US10410154B2 (en) | 2014-09-05 | 2017-07-24 | Method and system for enabling data usage accounting through a relay |
US16/533,094 Active US10943198B2 (en) | 2014-09-05 | 2019-08-06 | Method and system for enabling data usage accounting through a relay |
Country Status (1)
Country | Link |
---|---|
US (5) | US20160071040A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107563741A (en) * | 2017-10-20 | 2018-01-09 | 国信嘉宁数据技术有限公司 | A kind of data save related service charging method and system from damage |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9064275B1 (en) | 2008-07-25 | 2015-06-23 | At&T Intellectual Property I, L.P. | Systems and methods for charging and billing in converged communications networks |
JP2016033811A (en) * | 2014-07-30 | 2016-03-10 | 富士通株式会社 | Session management method, session management device, session management program and communication processing method |
US9350818B2 (en) | 2014-09-05 | 2016-05-24 | Openpeak Inc. | Method and system for enabling data usage accounting for unreliable transport communication |
EP3089427B1 (en) * | 2015-04-27 | 2023-09-06 | Vodafone Holding GmbH | Controlling data exchange between a mobile communication network and a data provider |
JP2017059894A (en) * | 2015-09-14 | 2017-03-23 | 株式会社オートネットワーク技術研究所 | Communication system |
US9686415B2 (en) | 2015-11-06 | 2017-06-20 | At&T Intellectual Property I, L.P. | Systems and methods of split billing |
US11627049B2 (en) * | 2019-01-31 | 2023-04-11 | Hewlett Packard Enterprise Development Lp | Failsafe firmware upgrade for cloud-managed devices |
US11271777B2 (en) | 2019-09-24 | 2022-03-08 | Pribit Technology, Inc. | System for controlling network access of terminal based on tunnel and method thereof |
US11652801B2 (en) | 2019-09-24 | 2023-05-16 | Pribit Technology, Inc. | Network access control system and method therefor |
US11190494B2 (en) | 2019-09-24 | 2021-11-30 | Pribit Technology, Inc. | Application whitelist using a controlled node flow |
US11082256B2 (en) | 2019-09-24 | 2021-08-03 | Pribit Technology, Inc. | System for controlling network access of terminal based on tunnel and method thereof |
Family Cites Families (280)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5294782A (en) | 1991-09-27 | 1994-03-15 | Khyber Technologies Corporation | Integrated portable device for point of sale transactions |
EP0616749B1 (en) | 1991-12-10 | 2002-01-30 | Khyber Technologies Corporation | Portable messaging and scheduling device with homebase station |
US5265951A (en) | 1992-02-13 | 1993-11-30 | Khyber Technologies Corporation | Card reading terminal having protective shield for input port thereof |
US5484989A (en) | 1992-02-13 | 1996-01-16 | Khyber Technologies Corporation | Card reading terminal having protective shield for input port thereof |
US5381348A (en) | 1993-01-11 | 1995-01-10 | Fluke Corporation | Token ring local area network testing apparatus using time delay reflectory |
GB2275309B (en) | 1993-02-22 | 1997-10-29 | Yang Tai Her | Differential coupling and compounding system |
US5357585A (en) | 1993-07-09 | 1994-10-18 | Khyber Technologies Corporation | Headphone assembly |
US6684261B1 (en) | 1993-07-19 | 2004-01-27 | Object Technology Licensing Corporation | Object-oriented operating system |
US5616906A (en) | 1993-07-23 | 1997-04-01 | Khyber Technologies Corporation | Grip held and grip operable data entry device |
US5925873A (en) | 1993-07-23 | 1999-07-20 | Khyber Technologies Corporation | Grip held and grip operable data entry device |
US5694546A (en) * | 1994-05-31 | 1997-12-02 | Reisman; Richard R. | System for automatic unattended electronic information transport between a server and a client by a vendor provided transport software with a manifest list |
US5548478A (en) | 1994-07-25 | 1996-08-20 | Khyber Technologies Corporation | Portable computing device having an adjustable hinge |
US5521369A (en) | 1994-07-25 | 1996-05-28 | Khyber Technologies Corporation | Card shaped computer peripheral device |
US20100208634A1 (en) * | 1994-10-11 | 2010-08-19 | Arbinet Corporation | System and Method For Managing Multimedia Communications Across Convergent Networks |
US5548477A (en) | 1995-01-27 | 1996-08-20 | Khyber Technologies Corporation | Combination keyboard and cover for a handheld computer |
US5632373A (en) | 1995-04-03 | 1997-05-27 | Khyber Technologies Corporation | Protective case for portable computer |
US5774869A (en) * | 1995-06-06 | 1998-06-30 | Interactive Media Works, Llc | Method for providing sponsor paid internet access and simultaneous sponsor promotion |
US5708560A (en) | 1995-07-24 | 1998-01-13 | Khyber Technologies Corporation | Selectively attachable keyboard bracket and lockable holder for a handheld computer |
JPH0944269A (en) | 1995-07-25 | 1997-02-14 | Fujitsu Ltd | Electronic equipment, casing for electronic equipment and manufacture of the casing |
CA2228014C (en) | 1995-07-31 | 2008-07-22 | Verifone, Inc. | Method and apparatus for operating resources under control of a security module or other secure processor |
US5823879A (en) * | 1996-01-19 | 1998-10-20 | Sheldon F. Goldberg | Network gaming system |
US6473768B1 (en) * | 1996-11-12 | 2002-10-29 | Computer Associates Think, Inc. | System and method for modifying an executing application |
US6708221B1 (en) | 1996-12-13 | 2004-03-16 | Visto Corporation | System and method for globally and securely accessing unified information in a computer network |
JP3518242B2 (en) | 1997-04-14 | 2004-04-12 | 株式会社日立製作所 | Electronic equipment |
US6023721A (en) | 1997-05-14 | 2000-02-08 | Citrix Systems, Inc. | Method and system for allowing a single-user application executing in a multi-user environment to create objects having both user-global and system global visibility |
US20080207178A1 (en) * | 1997-07-30 | 2008-08-28 | Steven Tischer | Apparatus and method for restricting access to data |
US6084769A (en) | 1997-08-20 | 2000-07-04 | Compaq Computer Corporation | Docking station with auxiliary heat dissipation system for a docked portable computer |
US7688952B2 (en) | 1997-11-03 | 2010-03-30 | Light Elliott D | System and method for obtaining equipment status data over a network |
US6052709A (en) | 1997-12-23 | 2000-04-18 | Bright Light Technologies, Inc. | Apparatus and method for controlling delivery of unsolicited electronic mail |
US6151606A (en) | 1998-01-16 | 2000-11-21 | Visto Corporation | System and method for using a workspace data manager to access, manipulate and synchronize network data |
TW445386B (en) | 1998-03-16 | 2001-07-11 | Hitachi Ltd | Thin-type display |
US6681238B1 (en) | 1998-03-24 | 2004-01-20 | International Business Machines Corporation | Method and system for providing a hardware machine function in a protected virtual machine |
US6799277B2 (en) | 1998-06-04 | 2004-09-28 | Z4 Technologies, Inc. | System and method for monitoring software |
US6266539B1 (en) | 1998-06-12 | 2001-07-24 | Cisco Technology, Inc. | Telephone docking station for personal digital assistant |
US6181553B1 (en) | 1998-09-04 | 2001-01-30 | International Business Machines Corporation | Arrangement and method for transferring heat from a portable personal computer |
US6397246B1 (en) * | 1998-11-13 | 2002-05-28 | International Business Machines Corporation | Method and system for processing document requests in a network system |
US8266266B2 (en) * | 1998-12-08 | 2012-09-11 | Nomadix, Inc. | Systems and methods for providing dynamic network authorization, authentication and accounting |
US6457030B1 (en) | 1999-01-29 | 2002-09-24 | International Business Machines Corporation | Systems, methods and computer program products for modifying web content for display via pervasive computing devices |
GB2346761B (en) | 1999-02-11 | 2003-12-10 | Mitel Corp | A telephone apparatus |
US20040052343A1 (en) | 1999-02-16 | 2004-03-18 | Glaser Lawrence F. | Telecommunications installation and management system and method |
WO2000052623A2 (en) * | 1999-03-02 | 2000-09-08 | Safety Insurance Group | A method and system for delivering customer services to independent insurance agents |
US20020013852A1 (en) | 2000-03-03 | 2002-01-31 | Craig Janik | System for providing content, management, and interactivity for thin client devices |
JP2000269671A (en) | 1999-03-19 | 2000-09-29 | Toshiba Corp | Electronic apparatus |
WO2000060450A1 (en) | 1999-04-07 | 2000-10-12 | Khyber Technologies Corporation | Portable computing, communication and entertainment device with central processor carried in a detachable handset |
US6804778B1 (en) | 1999-04-15 | 2004-10-12 | Gilian Technologies, Ltd. | Data quality assurance |
US6952617B1 (en) | 1999-07-15 | 2005-10-04 | Khyber Technologies Corporation | Handheld computer with detachable handset |
JP2001091174A (en) | 1999-09-22 | 2001-04-06 | Kel Corp | Heat transfer connector |
US6952671B1 (en) | 1999-10-04 | 2005-10-04 | Xvd Corporation | Vector quantization with a non-structured codebook for audio compression |
US6983311B1 (en) * | 1999-10-19 | 2006-01-03 | Netzero, Inc. | Access to internet search capabilities |
US6571221B1 (en) * | 1999-11-03 | 2003-05-27 | Wayport, Inc. | Network communication service with an improved subscriber model using digital certificates |
US6839684B1 (en) * | 1999-12-06 | 2005-01-04 | Nokia Corporation | Host-sponsored data transmission billing system and method |
US20040098449A1 (en) | 2000-01-20 | 2004-05-20 | Shai Bar-Lavi | System and method for disseminating information over a communication network according to predefined consumer profiles |
US20010042099A1 (en) | 2000-02-02 | 2001-11-15 | Doongo Technologies, Inc. | Apparatus and methods for optimizing traffic volume in wireless email communications |
US20060143250A1 (en) | 2000-03-09 | 2006-06-29 | Pkware, Inc. | System and method for manipulating and managing computer archive files |
US7526437B1 (en) | 2000-04-06 | 2009-04-28 | Apple Inc. | Custom stores |
US20020032609A1 (en) * | 2000-07-27 | 2002-03-14 | Wilkman Michael Allen | Calendar transaction manager agent, systems and methods |
KR100445284B1 (en) | 2000-10-26 | 2004-08-25 | 미쓰비시덴키 가부시키가이샤 | An internet telephone network system and a network access method and a telephone equipment adapter |
JP2004530958A (en) | 2000-11-28 | 2004-10-07 | フォースパス インコーポレイテッド | Method and system for maintaining and delivering wireless applications |
US6832207B1 (en) | 2000-11-28 | 2004-12-14 | Almond Net, Inc. | Super saturation method for information-media |
US6957390B2 (en) | 2000-11-30 | 2005-10-18 | Mediacom.Net, Llc | Method and apparatus for providing dynamic information to a user via a visual display |
MY147018A (en) | 2001-01-04 | 2012-10-15 | Thomson Licensing Sa | A method and apparatus for acquiring media services available from content aggregators |
US7155518B2 (en) | 2001-01-08 | 2006-12-26 | Interactive People Unplugged Ab | Extranet workgroup formation across multiple mobile virtual private networks |
US20020103879A1 (en) * | 2001-01-26 | 2002-08-01 | Mondragon Oscar A. | Method of advertising via the internet |
US7039041B2 (en) | 2001-03-20 | 2006-05-02 | Robohm Kurt W | Operational support system for telecommunication services |
US8417632B2 (en) * | 2001-03-20 | 2013-04-09 | Verizon Business Global Llc | Systems and methods for interfacing with a billing and account management unit |
US7058088B2 (en) | 2001-03-28 | 2006-06-06 | Minolta Co., Ltd. | Data communication program product to rewrite simultaneously firmware of plurality of devices connected to network |
US20020143956A1 (en) * | 2001-04-03 | 2002-10-03 | Murata Kikai Kabushiki Kaisha | Relay server |
FR2823936B1 (en) | 2001-04-19 | 2003-05-30 | France Telecom | METHOD AND SYSTEM FOR CONDITIONAL ACCESS TO IP SERVICES |
US6900984B2 (en) | 2001-04-24 | 2005-05-31 | Apple Computer, Inc. | Computer component protection |
CA2386576C (en) | 2001-05-15 | 2009-07-21 | Research In Motion Limited | Information system with detachable information module |
US7640434B2 (en) * | 2001-05-31 | 2009-12-29 | Trend Micro, Inc. | Identification of undesirable content in responses sent in reply to a user request for content |
US6674640B2 (en) | 2001-07-02 | 2004-01-06 | Intel Corporation | Increased thermal capability of portable electronic device in stationary or docked mode |
US7243163B1 (en) | 2001-08-07 | 2007-07-10 | Good Technology, Inc. | System and method for full wireless synchronization of a data processing apparatus with a messaging system |
US7529711B2 (en) * | 2001-10-31 | 2009-05-05 | Nortel Networks Limited | Method and system for providing and billing internet services |
US7631084B2 (en) | 2001-11-02 | 2009-12-08 | Juniper Networks, Inc. | Method and system for providing secure access to private networks with client redirection |
TW583529B (en) | 2001-11-15 | 2004-04-11 | Wistron Corp | Liquid crystal display computer with a removable device frame |
AU2002357731A1 (en) | 2001-11-15 | 2003-06-10 | Visto Corporation | System and methods for asychronous synchronization |
US7564824B2 (en) | 2002-02-04 | 2009-07-21 | Qualcomm Incorporated | Methods and apparatus for aggregating MIP and AAA messages |
JP2003316909A (en) * | 2002-02-21 | 2003-11-07 | Seiko Epson Corp | Terminal connection service system, communication terminal, local server, method of terminal connection service, method of connecting communication terminal, and computer program |
WO2003073255A1 (en) * | 2002-02-25 | 2003-09-04 | Predictive Media Corporation | Recommendation-based electronic program guides with user-imperceptible preferences |
US7275243B2 (en) | 2002-03-22 | 2007-09-25 | Sun Microsystems, Inc. | Mobile download system |
US7788382B1 (en) | 2002-03-26 | 2010-08-31 | Good Technology, Inc. | Server initiated synchronization |
US6914551B2 (en) | 2002-04-12 | 2005-07-05 | Apple Computer, Inc. | Apparatus and method to facilitate universal remote control |
GB0209190D0 (en) | 2002-04-23 | 2002-06-05 | Lewis Keith | Lighting apparatus |
US7447799B2 (en) | 2002-04-24 | 2008-11-04 | Good Technology, Inc. | System and method for automatically updating a wireless device |
USRE44122E1 (en) | 2002-05-29 | 2013-04-02 | Khyber Technologies Corporation | Portable data entry device with a detachable host PDA |
EP1532539B1 (en) | 2002-06-06 | 2015-12-09 | Pulse Secure, LLC | Method and system for providing secure access to private networks |
US7627872B2 (en) * | 2002-07-26 | 2009-12-01 | Arbitron Inc. | Media data usage measurement and reporting systems and methods |
US20040030887A1 (en) * | 2002-08-07 | 2004-02-12 | Harrisville-Wolff Carol L. | System and method for providing secure communications between clients and service providers |
EP2955896B1 (en) | 2002-08-09 | 2017-10-18 | Good Technology Holdings Limited | System and method for preventing access to data on a compromised remote device |
US20040060687A1 (en) | 2002-09-27 | 2004-04-01 | Moss David William | Versatile and ergonomic heat-dissipating stand for attachment to portable computers |
US7120785B1 (en) | 2002-11-25 | 2006-10-10 | Apple Computer, Inc. | Method and apparatus rendering user accounts portable |
FR2849230B1 (en) | 2002-12-24 | 2005-04-22 | Francois Bangui | METHOD AND APPARATUS FOR VERIFYING THE INTEGRITY OF A SOFTWARE APPLICATION WITHOUT AN ENCRYPTION / DECRYMENT KEY |
US20040139170A1 (en) | 2003-01-15 | 2004-07-15 | Ming-Teh Shen | Method and apparatus for management of shared wide area network connections |
US7171194B2 (en) | 2003-02-14 | 2007-01-30 | Maxon, Llc | Network device management |
US6870735B2 (en) | 2003-03-25 | 2005-03-22 | Jds Uniphase Corporation | Heat sink with visible logo |
US7627343B2 (en) | 2003-04-25 | 2009-12-01 | Apple Inc. | Media player system |
US7275073B2 (en) | 2003-05-07 | 2007-09-25 | Good Technology, Inc. | System and method for notifying mobile devices based on device type and network capabilities |
US7890091B2 (en) | 2003-05-08 | 2011-02-15 | Good Technology, Inc. | Collaborative data and intelligent synchronization for mobile devices |
US7184801B2 (en) | 2003-05-12 | 2007-02-27 | Good Technology, Inc. | Mobile application builder |
US7236770B2 (en) | 2003-09-03 | 2007-06-26 | Good Technology, Inc. | System and method for notifying target communication devices of message reception at a message server via log file monitoring |
GB0322716D0 (en) | 2003-09-29 | 2003-10-29 | Symbian Ltd | Multi-user mobile telephones for community access to services |
US7821984B2 (en) * | 2003-09-29 | 2010-10-26 | Wilson W David | Satellite distributed high speed internet access |
WO2005043360A1 (en) | 2003-10-21 | 2005-05-12 | Green Border Technologies | Systems and methods for secure client applications |
US20050213960A1 (en) | 2003-10-31 | 2005-09-29 | Cyrus Baldwin | Heat pumped surveillance camera housing and method of manufacturing the same |
US20050120331A1 (en) | 2003-12-02 | 2005-06-02 | International Business Machines Corporation | Hosting environment abstraction agents |
JP4822663B2 (en) | 2003-12-12 | 2011-11-24 | ソニー株式会社 | Information processing apparatus and method, and program |
WO2005057893A2 (en) | 2003-12-15 | 2005-06-23 | Bce Inc. | Adapter for secure voip communications |
US8078739B1 (en) | 2003-12-29 | 2011-12-13 | Cisco Technology, Inc. | Solution for handling URL-substitution for data access in a private network architecture |
JP4408224B2 (en) | 2004-01-29 | 2010-02-03 | 富士通株式会社 | Housing with heat dissipation function |
US7400878B2 (en) | 2004-02-26 | 2008-07-15 | Research In Motion Limited | Computing device with environment aware features |
EP1583312A1 (en) * | 2004-04-02 | 2005-10-05 | France Telecom | Apparatuses and method for controlling access to an IP multimedia system from an application server |
US20060030341A1 (en) | 2004-08-06 | 2006-02-09 | Avaya Technology Corp. | Mobile desk phone |
US9232338B1 (en) * | 2004-09-09 | 2016-01-05 | At&T Intellectual Property Ii, L.P. | Server-paid internet access service |
US7620001B2 (en) | 2004-10-13 | 2009-11-17 | Good Technology, Inc. | Communication system and method with mobile devices |
JP4426943B2 (en) | 2004-10-27 | 2010-03-03 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Electronic device provided with cooling device inside casing |
GB0426736D0 (en) | 2004-12-06 | 2005-01-12 | Omnifone Ltd | MyFone |
US20060121880A1 (en) | 2004-12-07 | 2006-06-08 | Cowsar Lawrence C | Method and apparatus for enabling authorized and billable message transmission between multiple communications environments |
US7823214B2 (en) | 2005-01-07 | 2010-10-26 | Apple Inc. | Accessory authentication for electronic devices |
US7630493B2 (en) | 2005-01-18 | 2009-12-08 | Tricipher, Inc. | Multiple factor private portion of an asymmetric key |
US20060200658A1 (en) | 2005-03-07 | 2006-09-07 | Bitfone Corporation | Agent framework for mobile devices |
US8375369B2 (en) | 2005-04-26 | 2013-02-12 | Apple Inc. | Run-time code injection to perform checks |
US7970386B2 (en) | 2005-06-03 | 2011-06-28 | Good Technology, Inc. | System and method for monitoring and maintaining a wireless device |
US8078740B2 (en) | 2005-06-03 | 2011-12-13 | Microsoft Corporation | Running internet applications with low rights |
US20060277209A1 (en) | 2005-06-06 | 2006-12-07 | Javaground Usa, Inc. | Efficient and automatic software application development system for wireless devices |
TWI283806B (en) | 2005-06-07 | 2007-07-11 | Htc Corp | Portable electronic device |
JP2007048216A (en) | 2005-08-12 | 2007-02-22 | Canon Inc | Document management device, document management method, document management program, and storage medium |
GB0517065D0 (en) * | 2005-08-19 | 2005-09-28 | Nokia Corp | Online charging management server |
EP1761082B1 (en) | 2005-09-02 | 2018-06-13 | Nokia Solutions and Networks GmbH & Co. KG | Method and system to connect a second communication network having a connection node to a first communication network having a contact node |
US20070080823A1 (en) | 2005-10-07 | 2007-04-12 | Apple Computer, Inc. | Techniques for pairing remote controllers with host devices |
CN100361456C (en) | 2005-10-13 | 2008-01-09 | 华为技术有限公司 | Terminal equipment managing method |
US20070093243A1 (en) | 2005-10-25 | 2007-04-26 | Vivek Kapadekar | Device management system |
FR2894420A1 (en) | 2005-12-05 | 2007-06-08 | Inventel Sa | TELEPHONE COMBINE, BASE AND ASSOCIATED METHOD FOR UPDATING COMBINE SOFTWARE |
US8935429B2 (en) | 2006-12-19 | 2015-01-13 | Vmware, Inc. | Automatically determining which remote applications a user or group is entitled to access based on entitlement specifications and providing remote application access to the remote applications |
US8010701B2 (en) | 2005-12-19 | 2011-08-30 | Vmware, Inc. | Method and system for providing virtualized application workspaces |
US20070150388A1 (en) * | 2005-12-22 | 2007-06-28 | Mendiratta Veena B | Processing data calls from wireless handsets to information nodes |
US8261290B2 (en) | 2005-12-30 | 2012-09-04 | Microsoft Corporation | Heartbeat subscriptions |
US7574177B2 (en) | 2006-01-04 | 2009-08-11 | Apple Inc. | Remote controller and FM reception arrangement |
US7912994B2 (en) | 2006-01-27 | 2011-03-22 | Apple Inc. | Reducing connection time for mass storage class peripheral by internally prefetching file data into local cache in response to connection to host |
US7702322B1 (en) | 2006-02-27 | 2010-04-20 | Good Technology, Llc | Method and system for distributing and updating software in wireless devices |
US8086332B2 (en) | 2006-02-27 | 2011-12-27 | Apple Inc. | Media delivery system with improved interaction |
US7620392B1 (en) | 2006-02-27 | 2009-11-17 | Good Technology, Inc. | Method and system for distributing and updating software in wireless devices |
US20080060085A1 (en) | 2006-03-10 | 2008-03-06 | Jan Samzelius | Protecting Files on a Storage Device from Unauthorized Access or Copying |
US20070261044A1 (en) | 2006-05-04 | 2007-11-08 | Jonathan Clark | Chained Hook Function Serving Multiple Versions Of Identically Named Dynamically Loaded Libraries |
US8073984B2 (en) | 2006-05-22 | 2011-12-06 | Apple Inc. | Communication protocol for use with portable electronic devices |
US20070283114A1 (en) | 2006-06-01 | 2007-12-06 | Lawrence Andy V | Method and system for dividing a hard disk drive into multiple host access spaces |
US20070294380A1 (en) | 2006-06-14 | 2007-12-20 | Kabushiki Kaisha Toshiba | System and method for periodic server-to-client data delivery |
US8272048B2 (en) | 2006-08-04 | 2012-09-18 | Apple Inc. | Restriction of program process capabilities |
US8903365B2 (en) | 2006-08-18 | 2014-12-02 | Ca, Inc. | Mobile device management |
US20080125079A1 (en) | 2006-11-07 | 2008-05-29 | O'neil Douglas | Methods, systems and computer products for remote monitoring and control of application usage on mobile devices |
US20080115225A1 (en) | 2006-11-14 | 2008-05-15 | Fabrice Jogand-Coulomb | System for allowing multiple users to access preview content |
US8255887B2 (en) | 2006-11-29 | 2012-08-28 | International Business Machines Corporation | Method and apparatus for re-using memory allocated for data structures used by software processes |
KR100915803B1 (en) | 2006-12-05 | 2009-09-07 | 한국전자통신연구원 | Application Program Launching Method and System for Improving Security of Embedded Linux Kernel |
US8000736B2 (en) | 2007-01-06 | 2011-08-16 | Apple Inc. | User programmable switch for portable data processing devices |
US8181264B2 (en) | 2007-02-07 | 2012-05-15 | Apple Inc. | Method and apparatus for deferred security analysis |
WO2008103608A2 (en) | 2007-02-19 | 2008-08-28 | Ondeego, Inc. | Methods and system to create applications and distribute applications to a remote device |
WO2008107510A1 (en) * | 2007-03-07 | 2008-09-12 | Cvon Innovations Ltd | An access control method and system |
US8561060B2 (en) | 2007-04-26 | 2013-10-15 | Advanced Micro Devices, Inc. | Processor and method configured to determine an exit mechanism using an intercept configuration for a virtual machine |
US8214885B2 (en) | 2007-05-07 | 2012-07-03 | Mocana Corporation | Managing network components using USB keys |
US20080297481A1 (en) * | 2007-05-30 | 2008-12-04 | Yuvee, Inc. | Direct access mobile content system |
US8045995B2 (en) * | 2007-05-31 | 2011-10-25 | Yahoo! Inc. | Centralized location broker |
US8060074B2 (en) | 2007-07-30 | 2011-11-15 | Mobile Iron, Inc. | Virtual instance architecture for mobile device management systems |
US8245289B2 (en) | 2007-11-09 | 2012-08-14 | International Business Machines Corporation | Methods and systems for preventing security breaches |
US7793340B2 (en) | 2007-11-21 | 2010-09-07 | Novell, Inc. | Cryptographic binding of authentication schemes |
US20090150970A1 (en) | 2007-12-05 | 2009-06-11 | Sybase, Inc. | Data Fading to Secure Data on Mobile Client Devices |
US8099541B2 (en) | 2008-01-22 | 2012-01-17 | Globalfoundries Inc. | Minivisor entry point in virtual machine monitor address space |
US9185554B2 (en) | 2008-02-15 | 2015-11-10 | Appcentral, Inc. | System and methods to store, retrieve, manage, augment and monitor applications on appliances |
US8924469B2 (en) | 2008-06-05 | 2014-12-30 | Headwater Partners I Llc | Enterprise access control and accounting allocation for access networks |
US8321526B2 (en) * | 2009-01-28 | 2012-11-27 | Headwater Partners I, Llc | Verifiable device assisted service usage billing with integrated accounting, mediation accounting, and multi-account |
US8254902B2 (en) | 2008-06-26 | 2012-08-28 | Apple Inc. | Apparatus and methods for enforcement of policies upon a wireless device |
US20100004959A1 (en) * | 2008-07-01 | 2010-01-07 | Robert Weingrad | Methods and system for reserving services from service providers |
US8259692B2 (en) * | 2008-07-11 | 2012-09-04 | Nokia Corporation | Method providing positioning and navigation inside large buildings |
US9047163B2 (en) | 2008-08-14 | 2015-06-02 | Red Hat, Inc. | Managing the distribution of client packages |
US20100077035A1 (en) | 2008-09-23 | 2010-03-25 | Nokia Corporation | Optimized Polling in Low Resource Devices |
US8990116B2 (en) | 2008-10-07 | 2015-03-24 | Mocana Corporation | Preventing execution of tampered application code in a computer system |
US8051432B2 (en) | 2008-11-14 | 2011-11-01 | Novell, Inc. | Techniques for establishing virtual devices |
US20100159898A1 (en) | 2008-12-19 | 2010-06-24 | Openpeak, Inc. | Services platform for networked devices that provide telephony and digital media services |
US20100180276A1 (en) | 2009-01-15 | 2010-07-15 | Jiva Azeem S | Application partitioning across a virtualized environment |
US9557889B2 (en) * | 2009-01-28 | 2017-01-31 | Headwater Partners I Llc | Service plan design, user interfaces, application programming interfaces, and device management |
US8121638B2 (en) | 2009-02-27 | 2012-02-21 | Research In Motion Limited | System and method for security on a mobile device using multiple communication domains |
US8484728B2 (en) | 2009-06-03 | 2013-07-09 | Apple Inc. | Managing securely installed applications |
US8302094B2 (en) | 2009-06-26 | 2012-10-30 | Vmware, Inc. | Routing a physical device request using transformer stack to an equivalent physical device in a virtualized mobile device |
US8233882B2 (en) | 2009-06-26 | 2012-07-31 | Vmware, Inc. | Providing security in mobile devices via a virtualization software layer |
US8219063B2 (en) | 2009-06-26 | 2012-07-10 | Vmware, Inc. | Controlling usage in mobile devices via a virtualization software layer |
US8341749B2 (en) | 2009-06-26 | 2012-12-25 | Vmware, Inc. | Preventing malware attacks in virtualized mobile devices |
US8438256B2 (en) | 2009-06-26 | 2013-05-07 | Vmware, Inc. | Migrating functionality in virtualized mobile devices |
US8839422B2 (en) | 2009-06-30 | 2014-09-16 | George Mason Research Foundation, Inc. | Virtual browsing environment |
JP5449905B2 (en) | 2009-07-29 | 2014-03-19 | フェリカネットワークス株式会社 | Information processing apparatus, program, and information processing system |
US8675084B2 (en) | 2009-09-04 | 2014-03-18 | Apple Inc. | Systems and methods for remote camera control |
US8984657B2 (en) | 2009-09-08 | 2015-03-17 | Appcentral, Inc. | System and method for remote management of applications downloaded to a personal portable wireless appliance |
WO2011039571A1 (en) * | 2009-09-30 | 2011-04-07 | Nokia Corporation | Apparatus and method for providing access to a local area network |
US20110082789A1 (en) | 2009-10-06 | 2011-04-07 | Apple Inc. | Vendor payment consolidation system |
US20110093583A1 (en) | 2009-10-16 | 2011-04-21 | Apple Inc. | Triggering actions based on changes in a network connection |
FR2953611A1 (en) | 2009-12-07 | 2011-06-10 | Spawnapps | METHOD FOR PROVIDING A TARGET APPLICATION |
US8850572B2 (en) | 2010-01-15 | 2014-09-30 | Apple Inc. | Methods for handling a file associated with a program in a restricted program environment |
US20110178863A1 (en) * | 2010-01-19 | 2011-07-21 | Daigle Mark R | Location based consumer interface for retail environment |
US8977842B1 (en) | 2010-02-05 | 2015-03-10 | Symantec Corporation | Hypervisor enabled secure inter-container communications |
US9299255B2 (en) * | 2010-03-04 | 2016-03-29 | Verizon Telematics Inc. | Method and system for providing location information of a vehicle to a user device |
US8180893B1 (en) | 2010-03-15 | 2012-05-15 | Symantec Corporation | Component-level sandboxing |
US8832652B2 (en) | 2010-03-26 | 2014-09-09 | Bmc Software, Inc. | Method for customizing software applications |
KR100984639B1 (en) | 2010-04-29 | 2010-10-01 | 김경훈 | Automatic security assessment system and its implementation method |
US10142292B2 (en) | 2010-06-30 | 2018-11-27 | Pulse Secure Llc | Dual-mode multi-service VPN network client for mobile device |
WO2012024418A1 (en) | 2010-08-17 | 2012-02-23 | Openpeak Inc. | System containing a mobile communication device and associated docking station |
US8955152B1 (en) | 2010-09-07 | 2015-02-10 | Symantec Corporation | Systems and methods to manage an application |
US20120066223A1 (en) | 2010-09-13 | 2012-03-15 | Openpeak Inc. | Method and computing device for creating distinct user spaces |
US8959451B2 (en) * | 2010-09-24 | 2015-02-17 | Blackberry Limited | Launching an application based on data classification |
AU2011312872B2 (en) * | 2010-09-28 | 2015-12-17 | Headwater Research Llc | Service design center for device assisted services |
US20120102564A1 (en) | 2010-10-25 | 2012-04-26 | Openpeak Inc. | Creating distinct user spaces through mountable file systems |
US8650658B2 (en) | 2010-10-25 | 2014-02-11 | Openpeak Inc. | Creating distinct user spaces through user identifiers |
US20120303476A1 (en) | 2010-11-09 | 2012-11-29 | Openpeak Inc. | Communication devices, networks, services and accompanying methods |
US8359016B2 (en) | 2010-11-19 | 2013-01-22 | Mobile Iron, Inc. | Management of mobile applications |
US8806040B2 (en) * | 2010-12-06 | 2014-08-12 | Red Hat, Inc. | Accessing external network via proxy server |
US8745598B2 (en) | 2010-12-14 | 2014-06-03 | Bmc Software, Inc. | Running injected code prior to execution of an application |
US8693358B2 (en) * | 2010-12-16 | 2014-04-08 | Syniverse Technologies, Inc. | Providing toll free data in a wireless system |
US9288230B2 (en) * | 2010-12-20 | 2016-03-15 | Qualcomm Incorporated | Methods and apparatus for providing or receiving data connectivity |
US20120159567A1 (en) | 2010-12-21 | 2012-06-21 | Enterproid Hk Ltd | Contextual role awareness |
US20120185767A1 (en) | 2011-01-14 | 2012-07-19 | Apple Inc. | Modifying application behavior |
US8671416B2 (en) | 2011-01-14 | 2014-03-11 | Apple Inc. | Dynamic service discovery |
US8594618B2 (en) * | 2011-02-08 | 2013-11-26 | Macheen, Inc. | System and method for task specific, metered bandwidth control within shared client environment on mobile communications platforms |
US9537869B2 (en) | 2011-02-11 | 2017-01-03 | Blue Cedar Networks, Inc. | Geographical restrictions for application usage on a mobile device |
US8990920B2 (en) | 2011-02-11 | 2015-03-24 | Mocana Corporation | Creating a virtual private network (VPN) for a single app on an internet-enabled device or system |
US8893298B2 (en) | 2011-02-11 | 2014-11-18 | Mocana Corporation | Network linker for secure execution of unsecured apps on a device |
US8549656B2 (en) | 2011-02-11 | 2013-10-01 | Mocana Corporation | Securing and managing apps on a device |
US8812868B2 (en) | 2011-03-21 | 2014-08-19 | Mocana Corporation | Secure execution of unsecured apps on a device |
US8955142B2 (en) | 2011-03-21 | 2015-02-10 | Mocana Corporation | Secure execution of unsecured apps on a device |
US8769305B2 (en) | 2011-03-21 | 2014-07-01 | Moncana Corporation | Secure execution of unsecured apps on a device |
US8831517B2 (en) * | 2011-04-13 | 2014-09-09 | At&T Intellectual Property I, L.P. | Devices, systems, and methods for sponsored tethered connectivity |
EP2705428A4 (en) | 2011-05-04 | 2014-10-15 | Apperian Inc | Processing, modification, distribution of installation packages |
US20120302204A1 (en) | 2011-05-24 | 2012-11-29 | Pankaj Gupta | Telecom Information Management System |
US10078755B2 (en) | 2011-05-27 | 2018-09-18 | Apple Inc. | Private and public applications |
US8646100B2 (en) | 2011-06-03 | 2014-02-04 | Apple Inc. | Method for executing an application in a restricted operating environment |
US8601579B2 (en) | 2011-06-03 | 2013-12-03 | Apple Inc. | System and method for preserving references in sandboxes |
US8725112B2 (en) | 2011-06-05 | 2014-05-13 | Apple Inc. | Activation solution |
US9465633B2 (en) | 2011-08-05 | 2016-10-11 | Vmware, Inc. | Displaying applications of a virtual mobile device in a user interface of a mobile device |
US9171139B2 (en) | 2011-08-05 | 2015-10-27 | Vmware, Inc. | Lock screens to access work environments on a personal mobile device |
AU2012304619B2 (en) * | 2011-09-09 | 2016-10-06 | Interdigital Patent Holdings, Inc. | Methods and apparatus for accessing localized applications |
FR2981174B1 (en) | 2011-10-06 | 2013-12-20 | Thales Sa | METHOD FOR DYNAMICALLY CREATING AN ENVIRONMENT FOR EXECUTING AN APPLICATION TO SECURE SUCH APPLICATION, COMPUTER PROGRAM PRODUCT AND COMPUTER APPARATUS THEREFOR |
US8695060B2 (en) | 2011-10-10 | 2014-04-08 | Openpeak Inc. | System and method for creating secure applications |
US20140032733A1 (en) * | 2011-10-11 | 2014-01-30 | Citrix Systems, Inc. | Policy-Based Application Management |
US9529996B2 (en) * | 2011-10-11 | 2016-12-27 | Citrix Systems, Inc. | Controlling mobile device access to enterprise resources |
US20130091557A1 (en) | 2011-10-11 | 2013-04-11 | Wheel Innovationz, Inc. | System and method for providing cloud-based cross-platform application stores for mobile computing devices |
US10291658B2 (en) * | 2011-11-09 | 2019-05-14 | Microsoft Technology Licensing, Llc | Techniques to apply and share remote policies on mobile devices |
US8893261B2 (en) | 2011-11-22 | 2014-11-18 | Vmware, Inc. | Method and system for VPN isolation using network namespaces |
US9122887B2 (en) | 2012-01-06 | 2015-09-01 | Mobile Iron, Inc. | User interface for secure virtual document management system |
US8978094B2 (en) | 2012-02-03 | 2015-03-10 | Apple Inc. | Centralized operation management |
US9705813B2 (en) | 2012-02-14 | 2017-07-11 | Airwatch, Llc | Controlling distribution of resources on a network |
US20130226669A1 (en) | 2012-02-29 | 2013-08-29 | The Trustees Of Princeton University | System and Methods for Time Dependent Internet Pricing |
US20130260730A1 (en) | 2012-03-28 | 2013-10-03 | Enterproid Hk Ltd | Custom application container for mobile operating systems and/or devices |
US20130260713A1 (en) | 2012-03-28 | 2013-10-03 | Enterproid Hk Ltd | Usage metering for custom application containers |
US8990901B2 (en) | 2012-05-05 | 2015-03-24 | Citrix Systems, Inc. | Systems and methods for network filtering in VPN |
US8955068B1 (en) | 2012-05-09 | 2015-02-10 | Symantec Corporation | Systems and methods for providing strong authentication for web-based applications |
KR20150076137A (en) | 2012-05-18 | 2015-07-06 | 아쿠토 코포레이션 | Charging and billing for content, services, and access |
US9865009B2 (en) | 2012-06-12 | 2018-01-09 | The Trustess Of Princeton University | System and method for variable pricing of data usage |
EP2880849A4 (en) * | 2012-08-03 | 2016-03-30 | Nec Corp | Mobile terminal, communication method, communication system, program, information processing apparatus, service rendering method and distribution server |
US9152781B2 (en) | 2012-08-09 | 2015-10-06 | Cisco Technology, Inc. | Secure mobile client with assertions for access to service provider applications |
US9087191B2 (en) | 2012-08-24 | 2015-07-21 | Vmware, Inc. | Method and system for facilitating isolated workspace for applications |
US20140089487A1 (en) | 2012-09-27 | 2014-03-27 | Jeremy Debate | Control of a remote computer device |
US20140089376A1 (en) | 2012-09-27 | 2014-03-27 | John T. Caldas | Control of applications installed on a remote device |
US20140108793A1 (en) | 2012-10-16 | 2014-04-17 | Citrix Systems, Inc. | Controlling mobile device access to secure data |
US8978110B2 (en) | 2012-12-06 | 2015-03-10 | Airwatch Llc | Systems and methods for controlling email access |
US20140173747A1 (en) | 2012-12-13 | 2014-06-19 | Apple Inc. | Disabling access to applications and content in a privacy mode |
US9866382B2 (en) | 2012-12-21 | 2018-01-09 | Mobile Iron, Inc. | Secure app-to-app communication |
US9535674B2 (en) | 2012-12-21 | 2017-01-03 | Bmc Software, Inc. | Application wrapping system and method |
US20140181842A1 (en) | 2012-12-21 | 2014-06-26 | Mobile Iron, Inc. | Secure mobile app connection bus |
EP2956883B1 (en) | 2013-02-14 | 2017-03-22 | VMware, Inc. | Method and apparatus for application awareness in a network |
US9445271B2 (en) | 2013-03-01 | 2016-09-13 | Mobile Iron, Inc. | Multi-user use of single-user apps |
US20140280955A1 (en) | 2013-03-14 | 2014-09-18 | Sky Socket, Llc | Controlling Electronically Communicated Resources |
US9473417B2 (en) | 2013-03-14 | 2016-10-18 | Airwatch Llc | Controlling resources used by computing devices |
US9401915B2 (en) | 2013-03-15 | 2016-07-26 | Airwatch Llc | Secondary device as key for authorizing access to resources |
US9967241B2 (en) * | 2013-03-15 | 2018-05-08 | Verizon Patent And Licensing Inc. | Persona based billing |
US9819682B2 (en) | 2013-03-15 | 2017-11-14 | Airwatch Llc | Certificate based profile confirmation |
US9275245B2 (en) | 2013-03-15 | 2016-03-01 | Airwatch Llc | Data access sharing |
US9203820B2 (en) | 2013-03-15 | 2015-12-01 | Airwatch Llc | Application program as key for authorizing access to resources |
US9148416B2 (en) | 2013-03-15 | 2015-09-29 | Airwatch Llc | Controlling physical access to secure areas via client devices in a networked environment |
US10652242B2 (en) | 2013-03-15 | 2020-05-12 | Airwatch, Llc | Incremental compliance remediation |
US8997187B2 (en) | 2013-03-15 | 2015-03-31 | Airwatch Llc | Delegating authorization to applications on a client device in a networked environment |
US9609492B2 (en) | 2013-10-17 | 2017-03-28 | Openet Telecom Ltd. | Method and system for dynamically creating tunnels suitable for metering and managing usage data for applications and services |
US9276938B2 (en) * | 2013-11-27 | 2016-03-01 | General Electric Company | Cross-enterprise workflow |
JP6454076B2 (en) * | 2014-03-20 | 2019-01-16 | キヤノン株式会社 | Relay device, communication device, control method, system, and program thereof |
US8938547B1 (en) | 2014-09-05 | 2015-01-20 | Openpeak Inc. | Method and system for data usage accounting in a computing device |
-
2015
- 2015-02-06 US US14/615,799 patent/US20160071040A1/en not_active Abandoned
- 2015-03-26 US US14/669,120 patent/US9106538B1/en active Active
- 2015-08-10 US US14/822,150 patent/US20160072786A1/en not_active Abandoned
-
2017
- 2017-07-24 US US15/658,015 patent/US10410154B2/en active Active
-
2019
- 2019-08-06 US US16/533,094 patent/US10943198B2/en active Active
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107563741A (en) * | 2017-10-20 | 2018-01-09 | 国信嘉宁数据技术有限公司 | A kind of data save related service charging method and system from damage |
Also Published As
Publication number | Publication date |
---|---|
US9106538B1 (en) | 2015-08-11 |
US10943198B2 (en) | 2021-03-09 |
US10410154B2 (en) | 2019-09-10 |
US20160072786A1 (en) | 2016-03-10 |
US20190362285A1 (en) | 2019-11-28 |
US20170330122A1 (en) | 2017-11-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10943198B2 (en) | Method and system for enabling data usage accounting through a relay | |
US9232012B1 (en) | Method and system for data usage accounting in a computing device | |
US9350818B2 (en) | Method and system for enabling data usage accounting for unreliable transport communication | |
US9749292B2 (en) | Selectively performing man in the middle decryption | |
US9521147B2 (en) | Policy based application management | |
US8881229B2 (en) | Policy-based application management | |
US11115211B2 (en) | Secure container platform for resource access and placement on unmanaged and unsecured devices | |
US9100390B1 (en) | Method and system for enrolling and authenticating computing devices for data usage accounting | |
US20140096186A1 (en) | Policy-Based Application Management | |
EP3422237A1 (en) | Policy-based application management | |
WO2014084967A1 (en) | Policy-based application management | |
US9232013B1 (en) | Method and system for enabling data usage accounting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: OPENPEAK INC., FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ASNIS, JAMES;REEL/FRAME:035191/0848 Effective date: 20150316 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: OPENPEAK LLC, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:OPENPEAK, INC.;REEL/FRAME:042752/0945 Effective date: 20170424 |
|
AS | Assignment |
Owner name: VMWARE, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:OPENPEAK LLC;REEL/FRAME:044325/0553 Effective date: 20171130 |
|
AS | Assignment |
Owner name: OPENPEAK LLC, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NI, HAO;REEL/FRAME:047675/0378 Effective date: 20170425 |